Fake Swine Flu alert blended threat attack


Commtouch Labs has run across a brilliant blended threat campaign organized by a body pretending to be the Centers for Disease Control. The attack, originating from Chinese botnets, began on the morning (EST) of 1 December 2009 and is still going strong. By the time of this publication, the attack had been flagged as “massive” by Commtouch Labs.

The email looks like this:

CDC blended threat email

Note the “From” address ends in .gov; spoofing the address in this way makes the message appear to be from a government body. The .gov ending may trick some traditional spam filters as well as tricking the unknowing recipient of such a message. With everyone in a panic about Swine Flu lately, the message is definitely trying to hit a soft spot. Cyber criminals tend to use social engineering methods to distract us from the dangers that lie within the links and files.

The body of the message describes a Vaccination Profile program to lure readers to a site that was laden with malware. A recipient who clicked on “create personal profile” at the bottom of the email was directed to this link:

CDC link

Including cdc.gov in the URL is designed to trick users into thinking that CDC is the domain, but the actual domain name is included AFTER the .gov, as pictured above. We blurred out the actual domain here, but it comes immediately after the .gov in the address.

The questionable link led to a landing page that appeared legitimate at first sight, but after examining the code behind the page, it was determined that the malware distributors added an iFrame of width “0” on the page. The iFrame leads to a php script which pointed to two additional iFrames – one built on the vulnerability of PDF nested viewers, and one built on PHP Javascript code:

Swine Flu iFrame code

The PDF contains this obfuscated Javascript code within the PDF itself:

Swine Flu PDF malware Javascript code

In addition to the fact that Javascript inside a PDF is an interesting method of transport, the code is, as suspected, malicious.

The second file, sNode.php, also contains obfuscated code:

Swine Flu malware sNode script

This file is also malicious.

Unfortunately, online crooks will use any tactic they can think of to bypass spam and virus filters. Commtouch RPD technology is based on massive pattern analysis, and thus blocked this blended threat in most of our partner implementations. But for those who rely on traditional spam filtering, the outcome may not have been so sweet.

If an email slips into your inbox, be sure to check link domains – in their entirety – before clicking. Don’t assume that if you see a .gov in the middle that it’s actually from a legitimate source. If you are unsure about the origins of an email, try to verify the details before you fall victim to the next great malware scheme. And never click on links or download files from unverified sources.

For the REAL Centers of Disease Control and everything you ever wanted to know about Swine Flu, visit the official CDC Swine Flu information page.

Go back