Fake Zbot Site Poses as CDC H1N1 Flu Vaccine Info

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The newest victim of the fauxWebsites-posing-as-government-pages scam is the Centers for Disease Control and Prevention. In the same vein as fake pages supposedly hosted on the Web servers of the IRS, FDIC, and other organizations, we’re seeing a new scam to infect computers with Trojan-Phisher-Zbot that pretends to be a “Personal H1N1 Vaccination Profile.”

As with the previous scams, dozens of Web servers are involved. The URLs involved in the scheme all begin with the “http://online.cdc.gov” — the “online.” subdomain is not used by the CDC — followed by a six- to seven-character random domain name and a non-.gov top-level domain.

The text of the page reads

Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below

There’s a link labeled “Download Archive (130Kb)” that, when you click it, pulls down the Zbot installer from the malicious server. The file name is vacc_profile.exe. Please don’t execute this file if you happen to download it.

This particularly pernicious program appears to have a perspicacity for FTP passwords. It appears to target several popular Windows FTP and SCP client applications, including SmartFTP, WSFTP, FlashFXP, CoreFTP, FTP Commander, Total Commander, WinSCP, FileZilla, and FAR Manager. If you typically save your FTP credentials in these applications, Zbot will seek them out.

Webroot has implemented procedures to warn you when you visit one of these sites. Anyone using our software who has their File System Shield active will see a warning if you follow a malicious link. If you get this warning message, close the browser window, perform a full sweep of your computer — and change the passwords to any FTP accounts that have been saved in any of the client apps listed above.
wordpress blog stats

9 thoughts on “Fake Zbot Site Poses as CDC H1N1 Flu Vaccine Info

  1. Pingback: Tweets that mention Fake Zbot Site Poses as CDC H1N1 Flu Vaccine Info « Webroot Threat Blog -- Topsy.com

  2. Pingback: Malware Analysis & Diagnostic

  3. Pingback: New scam based on H1N1 scare | EGUSD Information Security

  4. Pingback: Visa Targeted (Again) by Zbot Phishers « Webroot Threat Blog

  5. Pingback: A Look Back at the Worst Infections of 2009 « Webroot Threat Blog

  6. Pingback: A Look Back At The Worst Infections Of 2009 | Business Computing World

  7. Pingback: Zbot Desperately Seeking AIM Users « Webroot Threat Blog

  8. Pingback: Zbot Fakes ABA Banking Site, Seeks a Stimulus Package « Webroot Threat Blog

  9. Pingback: Keylogger Poses as Document from Spain’s Central Bank « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s