Spammers Ride on H1N1 Global Pandemic

by Det Caraig (Technical Communications)

The World Health Organization (WHO) raised the H1N1 global pandemic alert level to phase 6 on June 11. More than 70 countries have now reported cases of human infection. Many of the cases reportedly had links to travel or were localized outbreaks. The WHO designation of a phase 6 pandemic alert reflects the fact that there are now ongoing community-level outbreaks in multiple parts of world. It should be noted, however, that the WHO’s decision to raise the pandemic alert level to phase 6 is a reflection of the spread of the virus and not of the severity of illness caused by the virus.

As with any other tragic and much-publicized event, spammers take advantage of the situation by launching a spate of attacks targetting worried users.

Some of the most recent attacks include those we have already featured in the following blog posts:

• Yet More Swine Flu Attacks
• 32 Vaccines against Influenza A (H1N1) Swine Flu – Or is it ?
• Hackers Spammers & Flu Fears
• Swine Flu Outbreak Hits the Web Through Spam

Probably the most nefarious of these attacks were found to be hosted on is-the-boss.com domain. Through SEO poisoning (Search Engine Optimization), searches for reports related to the virus yield links that when opened trigger multiple redirection to various sites, which ultimately lead to the download of rogue antivirus software.

The URLs shown in Figure 2 have been detected as follows:

• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-pandemic.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-who.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1.html
• hxxp://news04.{BLOCKED}is-the-boss.com/a-h1n1-virus.html

As of this writing, the is-the-boss(dot)com domain is still being used for blackhat SEO campaigns to deliver fake antivirus solutions such as:

• av-scanner.48275.exe detected as TROJ_DLOADR.API
• script.js detected as JS_DLOADR.APO
• a.exe detected as TROJ_DROPPER.NXA, a file downloaded by TROJ_DLOADR.API

The malware TROJ_DLOADR.API and JS_DLOADR.APO attempt to connect to the following URLs, respectively, to download other possibly malicious files:

• hxxp://thenewpic.{BLOCKED}com/item/2a2c{long string}c70a/e4f892d7456/titem.gif
• hxxp://theimagesphoto{BLOCKED}.com/werber/744842b7155/217.gif
• hxxp://super-antiviral-scan{BLOCKED}.com/?id=48275

Fortunately, Trend Micro’s Smart Protection Network already stops this threat from affecting users, as the malicious URLs and files are already blocked and detected, respectively.