Ebola Threatens to Spread Email Virus


Thought Leadership

Ebola Threatens to Spread Email Virus

Fred Touchette

Currently the World is witnessing the largest Ebola outbreak on record with over a thousand confirmed cases of infection and over six hundred confirmed deaths thus far according to the World Health Organization. This is terrible news for the people of West Africa as they still continue to try to keep the sick cared for and the virus contained. Because the virus has a 21 day incubation period, health care professionals have a longer wait to know whether the spread has ended and the virus has extra time to continue to spread as people who are infected don't develop any symptoms until they've already been sick for 21 days. So every time a new patient is diagnosed, the clock starts over. Containment has been extra difficult as groups, such as one recently in Liberia who believe the outbreak to be a hoax perpetrated by the government, have broken into a containment facility and forcibly removed patients from their quarantine risking further spread of the disease. This is also a rare occurrence that the virus has found its way into the United States due to two doctors who were attempting to help the situation in Africa became infected themselves. They were given experimental treatments and flown back to the US for further treatment and observation. This news immediately caused alarm for some in the US who worried that this would bring Ebola not just closer to them but possibly even to the World stage.

Additionally unfortunate is the fact that malware authors and those of the seedy underbelly of the internet took this as an opportunity. Banking on the fact that the Ebola outbreak is of concern to a large portion of the world, they began delivering phishing and malware laden emails pretending to be information about the virus and its prevention. One such campaign purported to be from the World Health Organization themselves and supposedly contained a document with instructions on how to prevent infection from this deadly virus.

WHOAn archive file is used as the attachment and contains a file named "preventin of ebola.scr", spelling error and all. The Scr or screensaver extension is often hidden from the recipient once it's removed from the archive and instead they see the file name below a variation of a Microsoft Excel spreadsheet icon. Once this malware is executed it begins communication with two known malicious domains as well as a known malicious IP address directly, those being ikeguruobiri.com, xxdrgdurxx.ws and The malware then installs a keylogger on the victim machine and sends information back to the command and control server utilizing http Post's. One such post was in the form of an image file that contained an interesting post parameter - pcname=[redated]=best+recovery&country=&user=[redacted]&log=%22%22%22%22Hey+bro+welcome+to+my+world   %21+i+am+now+%0D%0ALegally+undetectable+Lolz%22%22%22%22%0D%0A

Once the percent version of the hex code is translated over it reads - pcname=[redacted]¬e=best+recovery&country=&user=[redacted]&log=""""Hey+bro+welcome+to+my+world!+i+am+now+Legally+undetectable+Lolz""""

The - """"Hey+bro+welcome+to+my+world!+i+am+now+Legally+undetectable+Lolz"""" being a nice little note from the attacker.


Other campaigns have also used malware to infect computers and are designed to steal account credentials after infection such as this one claiming to be from the World Health Service that gives another simple message that stops short of begging the recipients to open their malicious attachment. This time it comes as an executable file wrapped in a Zip and is entitled "NEWSEBOLA.zip". This PC infection behaves more like a Zeus variant than just a simple keylogger.

WHSSome versions aren't quite as aggressive and rely on the victim to provide their account information instead of infecting the machine and stealing it, people who click the link in this email that contains "...vital information...on the outbreak of the new deadly virus". This phishing attack is an attempt to skim log in information from AOL, Google/Gmail, Hotmail and Yahoo accounts via a web form.

PhishingPhishing Form

There have also been other reports around the web of these Ebola themed attacks appearing to come from CNN which is a very common tactic in times when the bad guys are riding on the wave of international news. Luckily we have all of these variants contained and locked up in quarantine. The world can be a very dangerous place and with people like this waiting on any opportunity they're given to take advantage of anyone they can, the cyberworld can be nearly as dangerous to our identities and bank accounts. Therefore it is very important that everyone does what they can to protect themselves from attacks such as these. Use multi-layered protection such as email spam and virus filtering, web filtering, a local firewall and local anti-virus in addition to network protection for those with multiple hosts.