Fake Zbot Site Poses As CDC H1N1 Flu Vaccine Info

The newest victim of the fauxWebsites-posing-as-government-pages scam is the Centers for Disease Control and Prevention.

In the same vein as fake pages supposedly hosted on the Web servers of the IRS, FDIC, and other organisations, we’re seeing a new scam to infect computers with Trojan-Phisher-Zbot that pretends to be a “Personal H1N1 Vaccination Profile.”

As with the previous scams, dozens of Web servers are involved. The URLs involved in the scheme all begin with the “http://online.cdc.gov” — the “online.” subdomain is not used by the CDC — followed by a six- to seven-character random domain name and a non-.gov top-level domain.

The text of the page reads:

Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below

There’s a link labeled “Download Archive (130Kb)” that, when you click it, pulls down the Zbot installer from the malicious server. The file name is vacc_profile.exe. Please don’t execute this file if you happen to download it.


This particularly pernicious program appears to have a perspicacity for FTP passwords. It appears to target several popular Windows FTP and SCP client applications, including SmartFTP, WSFTP, FlashFXP, CoreFTP, FTP Commander, Total Commander, WinSCP, FileZilla, and FAR Manager. If you typically save your FTP credentials in these applications, Zbot will seek them out.

My company’s software has implemented procedures to warn you when you visit one of these sites. Anyone using our software who has their File System Shield active will see a warning if you follow a malicious link. If you get this warning message, close the browser window, perform a full sweep of your computer — and change the passwords to any FTP accounts that have been saved in any of the client apps listed above.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Andrew Brandt researches malware for Webroot Software, and contributes to the Webroot Threat Blog. As a member of the Threat Research team, he and his colleagues help identify malicious software trends and improve the Webroot Antivirus with Antispyware product. Andrew joined the team in 2006. Prior to coming to Webroot, he worked for PC World magazine as a Senior Associate Editor, covering computer security and privacy issues for nearly a decade. In that role, he also wrote the Privacy Watch column. He lives in Boulder, Colorado.