Johannesburg, 04 Dec 2009
The Zeus Trojan is piggybacking on the swine flu pandemic, with bogus e-mails claiming to originate from the Centre for Disease Control (CDC).
Symantec Security Response reveals the Zeus Trojan is sending out e-mails with a link to a malicious Web page that looks identical to the official CDC page.
Orla Cox, Symantec operations manager, says becoming infected with the malware can be very costly for the victim. “Zeus, aka Zbot, is a malware kit. This kit is for sale on underground forums and allows you to automatically create, distribute and control the malware. The main purpose of Zbot is to steal online credentials, such as e-mail, FTP and banking passwords.”
Cox adds this isn't the first time swine flu has been used as a social engineering hook. However, she notes this is only the second major attack Symantec has seen using this tactic. The first one was documented in April this year. It has also been used in spam campaigns.
According to Symantec, the subject lines of the e-mail contain messages such as: 'instructions on creation of your personal vaccination profile', 'governmental registration programme on the H1N1 vaccination', as well as, 'your personal vaccination profile'.
The domain name used in the malicious e-mail links has the format of online.cdc.gov.yhnbad.com.im. According to Symantec, the URL leads to an executable file called vac_profile.exe and is detected by Symantec as Infostealer.Banker.C.
Cox has cautioned users to be aware of this attack. Users should never click on links in e-mails unless they have been expecting the e-mail. If they click on the link and the e-mail requests them to download a file, don't accept it. Users should be vigilant and ensure they have the most up-to-date patches and security software installed.
“Even if the e-mail appears to be from a legitimate source, be suspicious,” says Cox. “If unsure, check with the sending organisations. Many organisations will have warning pages on their Web sites advising users of scam or malicious pages.”
Share