Spammed IRS Tax notices lead to Zbot malware infection
There is a currently ongoing spam campaign which sends an official looking document, with images from the US Internal Revenue Service. The subject and body refer to a tax return problem. The recipient is told to read the report at IRS.gov, but the link provided goes offshore, to a look-alike scam web page, serving malware.
I traced down one of these scams that came in today (Oct 10, 2011) and here are my findings.
The link in the email, falsely claiming to go to a report page at the irs.gov, actually led to a website named http://systrmp.com (using standard html code to link to one place, but show the user a different destination). If the intended victim was to hover their mouse or pointer over that link before clicking on it, they would see the true destination in the Status Bar of their email reader (browser or standalone desktop email client).
The message body is written to cause panic in the recipients, causing some to blindly click on the link, without checking out the destination first. Here are the words used to panic recipients into action:
Notice ID: CEXOSTSZUJ8747
Notice: CP01H
Tax year: 2011
Notice date: Mon, 10 Oct 2011 09:11:50 +0100
Page 1 of 1Important information about your tax return
We are unable to process your tax returnWe received your tax return. However, we are unable to process the return as filed.
Our records indicate that the person identified as the primary taxpayer or spouse on the tax return was deceased prior to the tax year shown on the tax form. Our records are based on information received from the Social Security Administration.
Based on this information, the tax account for this individual has been locked.What you need to do
Visit review page on irs.gov (<-- Hostile link goes here)
Keep this notice for your records.
Department of Treasury
Internal Revenue Service
Following that link leads to a web page hosted on a compromised (botted) computer, running on a Russian Nginx web server. The responding IP varies every few minutes. The web page looks like an official IRS page and even contains some links to the actual IRS website. Far down the page is a line of large, bold text, with a single link which reads as follows:
What you need to doCarefully review your tax return (self-extracting archive file)...
The link around the words your tax return go directly to a file named "archive.exe" - which, according to file analysis at VirusTotal.com, is the infamous Zbot, aka Zeus Trojan. As of the time I published this, only 15 of 43 anti-malware companies detected this threat. Trend Micro was among the first to detect and block it, for their users. Trend Micro security programs also remove it and all of its components.
The Zbot/Zeus Trojan is a password stealing key logger. It silently hides and waits for you to log into your online bank, or another targeted financial or auction site, then steals your credentials, sending them home to the crime gang behind this scam.
NB: As that fake IRS page is loading, so is a 1x1 pixel iframe, with its destination a server in Russia. It attempts to serve a malware exploit kit as the victim is reading his fake notice. That server has no content at this time, but it may be reloaded later on. Anybody who goes to that website and gets redirected to the Russian exploit server (by an iframe invisibly loading), with a browser that is not 100% patched against 3rd party plug-in exploits (e.g: Java, Flash, Shockwave, PDF Reader, browser version, ActiveX, etc), will be in danger of having the payload delivered without their knowledge.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.