Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 30 November 2009

IRS Spam Campaign leads to low detection malware

Posted on 08:45 by Unknown
We're getting tons of strange IRS spam this morning.

Subjects like:

IRS - Please Read!
IRS - Tax Refund Notification!
IRS e-file refund notification!
IRS REFUND Notification - Please Read This!
IRS: Your Tax Refund Notification!
Notification - Tax Refund!
Notification - Your Tax Refund!
Tax Refund!
US Internal Revenue Service!
US Treasury Department - Tax Refund!

Bodies look like this:



-----------------------------

Internal Revenue Service
United States Department of the Treasury
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 533.41$ tax refund under section 501(c) (10) of the Internal Revenue Code. Please submit the Tax Refund Request Form and allow us 3-9 days to process it.

Yours faithfully,
Sarah Hall Ingram, Commissioner

This notification has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.

-----------------------
This would be a great place to remind people that if you have turned "javascript" on globally, when you visit ANY website, the code on that website runs, and so does the code on any website that is being loaded into your current webpage with an iframe.

In this case, there's an iframe that draws source from here, being blocked by Google Safe Browsing:

infosayt.com/heabes/index.php

An encrypted javascript is supposed to load from /ssp/index.php on each of the sites below.

The javascript on this page causes the page:

hxxp://refund-services.irs.issue.no.l398726.us/ssp/loadjavad.php?page=1

to be loaded, which drops an executable file called "load.exe". We expect that this page is regularly changed to allow a variety of malware to be dropped. At the moment, what it is dropping is a file that has these characteristics:

My Microsoft Forefront calls that: "Trojan:Win32/Oficla.E"
File size: 19968 bytes
MD5 : 8c111a22d26c84dffe3bc3e03907bc28

A VirusTotal Report gives 5 of 41 detects, meaning that MOST anti-virus software will currently return "no virus found" if you scan the file.

-------------------------
As I was working through my analysis, I found that this has actually already been written up quite nicely by CA in their Security Advisor blog by Mary Grace Gabriel.


Here's a list of webpages we've seen so today (November 30th):

refund-services.irs.issue.no.l320584.us
refund-services.irs.issue.no.l324603.us
refund-services.irs.issue.no.l32839.us
refund-services.irs.issue.no.l354923.us
refund-services.irs.issue.no.l362960.us
refund-services.irs.issue.no.l367360.us
refund-services.irs.issue.no.l372905.us
refund-services.irs.issue.no.l376054.us
refund-services.irs.issue.no.l380027.us
refund-services.irs.issue.no.l382703.us
refund-services.irs.issue.no.l383749.us
refund-services.irs.issue.no.l385372.us
refund-services.irs.issue.no.l387246.us
refund-services.irs.issue.no.l387266.us
refund-services.irs.issue.no.l392053.us
refund-services.irs.issue.no.l392086.us
refund-services.irs.issue.no.l398726.us
refund-services.irs.issue.no.l500328.us
refund-services.irs.issue.no.l507229.us
refund-services.irs.issue.no.l524820.us
refund-services.irs.issue.no.l528074.us
refund-services.irs.issue.no.l539028.us
refund-services.irs.issue.no.l539347.us
refund-services.irs.issue.no.l542043.us
refund-services.irs.issue.no.l562804.us
refund-services.irs.issue.no.l567387.us
refund-services.irs.issue.no.l568730.us
refund-services.irs.issue.no.l572463.us
refund-services.irs.issue.no.l57290.us
refund-services.irs.issue.no.l580382.us
refund-services.irs.issue.no.l583720.us
refund-services.irs.issue.no.l58736.us
refund-services.irs.issue.no.l587468.us
refund-services.irs.issue.no.l587938.us
refund-services.irs.issue.no.l590274.us
refund-services.irs.issue.no.l593380.us
refunds.irs.issue.no.l32839.us
refunds.irs.issue.no.l362960.us
refunds.irs.issue.no.l367360.us
refunds.irs.issue.no.l37204.us
refunds.irs.issue.no.l372905.us
refunds.irs.issue.no.l380027.us
refunds.irs.issue.no.l383749.us
refunds.irs.issue.no.l385372.us
refunds.irs.issue.no.l387246.us
refunds.irs.issue.no.l387266.us
refunds.irs.issue.no.l392053.us
refunds.irs.issue.no.l392059.us
refunds.irs.issue.no.l392086.us
refunds.irs.issue.no.l392503.us
refunds.irs.issue.no.l398726.us
refunds.irs.issue.no.l524820.us
refunds.irs.issue.no.l539347.us
refunds.irs.issue.no.l567387.us
refunds.irs.issue.no.l568730.us
refunds.irs.issue.no.l572035.us
refunds.irs.issue.no.l572463.us
refunds.irs.issue.no.l580382.us
refunds.irs.issue.no.l583720.us
refunds.irs.issue.no.l58736.us
refunds.irs.issue.no.l587468.us
refunds.irs.issue.no.l587938.us
refunds.irs.issue.no.l590274.us
refunds.irs.issue.no.l593380.us
ustreasurydept.irs.issue.no.l320584.us
ustreasurydept.irs.issue.no.l324603.us
ustreasurydept.irs.issue.no.l32839.us
ustreasurydept.irs.issue.no.l354923.us
ustreasurydept.irs.issue.no.l362960.us
ustreasurydept.irs.issue.no.l367360.us
ustreasurydept.irs.issue.no.l37204.us
ustreasurydept.irs.issue.no.l372905.us
ustreasurydept.irs.issue.no.l376054.us
ustreasurydept.irs.issue.no.l380027.us
ustreasurydept.irs.issue.no.l382703.us
ustreasurydept.irs.issue.no.l383749.us
ustreasurydept.irs.issue.no.l385372.us
ustreasurydept.irs.issue.no.l387246.us
ustreasurydept.irs.issue.no.l387266.us
ustreasurydept.irs.issue.no.l392053.us
ustreasurydept.irs.issue.no.l392503.us
ustreasurydept.irs.issue.no.l398726.us
ustreasurydept.irs.issue.no.l500328.us
ustreasurydept.irs.issue.no.l507229.us
ustreasurydept.irs.issue.no.l524820.us
ustreasurydept.irs.issue.no.l528074.us
ustreasurydept.irs.issue.no.l539028.us
ustreasurydept.irs.issue.no.l539347.us
ustreasurydept.irs.issue.no.l542043.us
ustreasurydept.irs.issue.no.l562804.us
ustreasurydept.irs.issue.no.l567387.us
ustreasurydept.irs.issue.no.l568730.us
ustreasurydept.irs.issue.no.l572035.us
ustreasurydept.irs.issue.no.l572463.us
ustreasurydept.irs.issue.no.l57290.us
ustreasurydept.irs.issue.no.l583720.us
ustreasurydept.irs.issue.no.l587468.us
ustreasurydept.irs.issue.no.l587938.us
ustreasurydept.irs.issue.no.l590274.us
ustreasury.irs.issue.no.l320584.us
ustreasury.irs.issue.no.l324603.us
ustreasury.irs.issue.no.l354923.us
ustreasury.irs.issue.no.l362960.us
ustreasury.irs.issue.no.l37204.us
ustreasury.irs.issue.no.l376054.us
ustreasury.irs.issue.no.l380027.us
ustreasury.irs.issue.no.l382703.us
ustreasury.irs.issue.no.l383749.us
ustreasury.irs.issue.no.l385372.us
ustreasury.irs.issue.no.l387246.us
ustreasury.irs.issue.no.l387266.us
ustreasury.irs.issue.no.l392053.us
ustreasury.irs.issue.no.l392059.us
ustreasury.irs.issue.no.l392086.us
ustreasury.irs.issue.no.l392503.us
ustreasury.irs.issue.no.l398726.us
ustreasury.irs.issue.no.l528074.us
ustreasury.irs.issue.no.l539028.us
ustreasury.irs.issue.no.l539347.us
ustreasury.irs.issue.no.l542043.us
ustreasury.irs.issue.no.l562804.us
ustreasury.irs.issue.no.l572035.us
ustreasury.irs.issue.no.l572463.us
ustreasury.irs.issue.no.l57290.us
ustreasury.irs.issue.no.l580382.us
ustreasury.irs.issue.no.l583720.us
ustreasury.irs.issue.no.l58736.us
ustreasury.irs.issue.no.l587468.us
ustreasury.irs.issue.no.l587938.us
ustreasury.irs.issue.no.l590274.us
ustreasury.irs.issue.no.l593380.us

These have been shared with appropriate authorities and will hopefully be shut down soon!
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Indictments reveal $77 Million in Illegal Pill Sales
    Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA. The Daytona Beach News report...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Morocco based "Team Evil" reroutes prominent Israeli websites
    After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" ha...
  • Minipost: Google v. Pacific WebWorks
    I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by crea...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (93)
    • ►  December (12)
    • ▼  November (11)
      • IRS Spam Campaign leads to low detection malware
      • Beware Weekend Facebook Scam!
      • Some Jerk posted your photo - and now you're infec...
      • UAB Spam Data Mine finds Social Security Statement...
      • Fake Flash Player Zbot spread by "Your Domain"
      • Running out of Money Mules?
      • Zeus: Same Criminal, New Spam Infrastructure
      • Newest Zeus = NACHA: The Electronic Payments Assoc...
      • The $9 Million World-Wide Bank Robbery
      • Zeus / Zbot Malware moves Back to IRS
      • Zeus Malware Moves to Myspace
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile