Sophos Cloud Optix
The Zeus gang, who brought us the Outlook reconfiguration malware, is at it again.
Today, our spamtraps have started receiving messages with the subject “Create your personal Vaccination profile,” purported to be from Center for Disease Control and Prevention:
The message claims that there is a State Vaccination H1N1 program being launched and that each person needs to register a profile for tracking purposes. The link to create the personal vaccination profile has the following format:
http://online.cdc.gov.[malware_domain]/…
People clicking on the personal profile creation link arrive at a CDC-themed site:
All the links in the middle of the page (Your temporary ID, H1N1 vaccination profile, Download Archive) point to a file called [vacc_profile dot exe]. Needless to say, this file is malicious. The other two links at the bottom — the “Contact us” link and the “Department of Health and Human Services” link — redirect to legitimate US government sites. As for the malware, we are detecting it as Mal/EncPk-LE. The spam messages are also detected by our antispam products.
One interesting feature of this site is that there is a short javascript that udpates the “Page last modified” value to the current day. I guess this is the malware author’s way to trick the user to believe that the page is new.