The World Health Organization (WHO) raised the H1N1 global pandemic alert level to phase 6 on June 11. More than 70 countries have now reported cases of human infection. Many of the cases reportedly had links to travel or were localized outbreaks. The WHO designation of a phase 6 pandemic alert reflects the fact that there are now ongoing community-level outbreaks in multiple parts of world. It should be noted, however, that the WHO’s decision to raise the pandemic alert level to phase 6 is a reflection of the spread of the virus and not of the severity of illness caused by the virus.

As with any other tragic and much-publicized event, cybercriminals again took advantage of the situation by launching a spate of attacks targeting wary, unknowing users.

Some of the most recent attacks include those we have already featured in the following blog posts:

• Yet More Swine Flu Attacks
• Waledac Turns to Cash and Vaccines
• Swine Flu Spam Attempt to Infect Japanese Users
• Swine Flu Outbreak Hits the Web Through Spam

Probably the most nefarious of these attacks were found to be hosted on is-the-boss.com domain. Through SEO poisoning, searches for reports related to the virus yield links that when opened trigger multiple redirections to various sites, which ultimately lead to the download of rogue antivirus software.

The following URLs were also found to start off similar infection chains:

• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-pandemic.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1-who.html
• hxxp://amiasjussa11.{BLOCKED}is-the-boss.com/h1n1.html
• hxxp://news04.{BLOCKED}is-the-boss.com/a-h1n1-virus.html

As of this writing, the is-the-boss(dot)com domain is still being used for blackhat SEO campaigns to deliver fake antivirus solutions such as:

• av-scanner.48275.exe detected as TROJ_DLOADR.API
• script.js detected as JS_DLOADR.APO
• a.exe detected as TROJ_DROPPER.NXA, a file downloaded by TROJ_DLOADR.API

The malware TROJ_DLOADR.API and JS_DLOADR.APO attempt to connect to the following URLs, respectively, to download other possibly malicious files:

• hxxp://thenewpic.{BLOCKED}com/item/2a2c{long string}c70a/e4f892d7456/titem.gif
• hxxp://theimagesphoto{BLOCKED}.com/werber/744842b7155/217.gif
• hxxp://super-antiviral-scan{BLOCKED}.com/?id=48275

Fortunately, Trend Micro’s Smart Protection Network already stops this threat from affecting users, as the malicious URLs and files are already blocked and detected, respectively.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!