Zeus Botnet Being Spread Through Fake IRS Spam Campaign

by Christopher on July 1, 2011

A massive fake IRS spam email campaign is currently delivering the Zeus Trojan horse onto domestic hard drives. Zeus, primarily an engine for financial fraud, has been plaguing the public since 2007. In a spam campaign that’s been going on through the latter half of June, email users are now downloading the malware contained in mock tax-related messages.

Experts note that the malicious messages are relatively well written, by spam standards. Still, some of the spelling and grammatical errors typical to spam written by non-native English speakers are present.

The messages appear to originate from the irs.gov domain, informing the recipient that there was some sort of problem processing their tax return payments. The subject line generally reads “Your IRS payment rejected,” “Federal Tax payment rejected,” or something similar. A PDF file is attached to the email.

The body of the email refers the recipient to the PDF for details about why their tax payment was problematic. Upon downloading the file, the user downloads the Zeus malware. Zeus uses keystroke logging, form grabbing and other tricks to gain access to private data such as credit card numbers, bank account information, and account passwords.

With the fear of an audit or entanglement with the IRS so well ingrained in the American psyche, this particular tactic is finding moderate success for a spam campaign. Such successes have built up the Zeus bot’s reputation over the past few years, making it one of the most infamous and dangerous malicious programs out there. It has been used in several dozen attacks and infected many millions of computers around the world.

Back in May, a version of the Zeus crimeware kit’s source code was leaked. It sprung up on numerous underground forums frequented by spammers, hackers, and cybercriminals. Previously only available at a steep price, the sudden availability of such malicious source code immediately worried internet security experts and cybercrime law enforcement agents. This latest fake IRS spam campaign may be the work of people who newly acquired the code.

Supporting this theory is the fact that there is a key mistake in the malware coding that gives researchers hope for determining who is behind the attack. While there are generally safeguards set in place to prevent the same person from repeatedly downloading the binary to collect samples for study, an oversight in the current campaign provides an easy loophole, facilitating study.

Like so many other spam campaigns today, the fake IRS emails make use of URL shortening. Typically, the spammers ensure that the same person cannot follow the shortened link pointing to the malware servers more than once. However, an oversight in the coding of this campaign allows the user to add on a special character to the end of the shortened URL, such as a plus sign or an asterisk, and follow the link to the malware servers repeatedly.

Thanks to this mistake, promising research is already underway to find those responsible for the latest attack of the Zeus bot. But spammers and cybercriminals usually prove resourceful. As word circulates about the specifics of the current spam campaign and the coding error, those behind the attack will no doubt alter their methods, change their servers, and clean up their code. Common sense and caution remain the public’s best chance at avoiding infection by Zeus or other malware.

Posted in: Spam

Previous post:

Next post: