Fake IRS emails continue to spread Gov-related Zeus

We've already seen nearly 500 copies of the new Government-related Zeus spam campaign so far this morning in the UAB Spam Data Mine. As has been typical in this campaign that we first started tracking on July 13th, the detection has been fairly horrible each morning for the new malware version. We lasted updated on this malware on July 29th in our story Government-related Zeus Spam Continues.

Today's version advertises the domain "tax-irs-report.com" and asks users to download the file 0000770950077US.pdf.exe from that site.

190 different computers have sent us the spam for this campaign so far today. 118 of them from the USA, 40 from India.

When we asked the UAB Spam Data Mine what other virus links we had been sent by this same group of 190 computers on other days, we got this list:

receiving_date | machine | path
----------------+------------------------------+-------------------------------
2011-07-13 | usbanking-security.com | /tax_report.pdf.exe
2011-07-15 | federalsecusrity.com | /pending-taxes.pdf.exe
2011-07-19 | irs-report-link.com | /tax-report.pdf.exe
2011-07-19 | irs-taxes-report.com | /tax-report.pdf.exe
2011-07-19 | taxreport-irs.com | /tax-report.pdf.exe
2011-07-20 | alerts-federalresrve.com | /rejected_wire.pdf.exe
2011-07-20 | nacha-alert.com | /rejected_transaction.pdf.exe
2011-07-20 | nacha-alert.org | /rejected_transfer.pdf.exe
2011-07-20 | reports-federalreserve.com | /rejected_wire.pdf.exe
2011-07-21 | national-security-agency.com | /blocked_list.exe
2011-07-21 | national-security-agency.com | /token_security_update.exe
2011-07-21 | nsa-security.net | /blocked-list.exe
2011-07-21 | nsa-security.net | /token_security_update.exe
2011-07-22 | irs-downloads.com | /00000700955160US.exe
2011-07-22 | irs-files.com | /00000700955170US.exe
2011-07-26 | irs-alert.com | /00000700955770US.exe
2011-07-27 | nacha-transactions.org | /304694305894903.pdf.exe
2011-07-27 | taxes-refund.com | /00000700975770US.exe
2011-07-27 | www.nacha-rejected.com | /304694305894903.pdf.exe
2011-07-28 | fdic-updates.com | /system_update_07_28.exe
2011-07-29 | federalreserve-alert.com | /transaction_report.pdf.exe
2011-07-29 | taxes-security.com | /00000700955060US.pdf.exe
2011-08-03 | irs-report.com | /00000770950077US.exe
2011-08-05 | tax-irs-report.com | /0000770950077US.pdf.exe
(24 rows)

So, at least some of today's spamming computers have been with this campaign since the beginning (July 13th).

When today's malware is executed it sets a registry key in "HKEY_USERS\S-1-5(my user)-500\Software\Microsoft\Windows\CurrentVersion\Run" to relaunch itself from my current user account where it had copied itself as "C:\Documents and Settings\Administrator\Application Data\Afena\iror.exe"

It makes connection to domains generated with a DGA (Domain Generation Algorithm). Today's live domain was:

olojkpcltulirqr.info on 50.57.71.39

from there it did a GET for /news/?s=158404

It tried many other domains, but none of the others were live. Some of them include:

jruioljslsitjpfv.biz
wlnzkqmohuhzqyra.info
tjjhmtjlziebo.net
jpkpbxkoxwijzijr.info

As we have seen before, the malware ALSO fetches a copy of "heap_v206_mails.exe" after it successfully installs itself.

The spam started at 4:45 AM (Central time), peaked at 5:15, and then began to trickle off. (We group in 15 minute windows.)

count | 15 minute spam block
-------+---------------------
3 | 2011-08-05 04:45:00
3 | 2011-08-05 05:00:00
406 | 2011-08-05 05:15:00
86 | 2011-08-05 05:30:00
(4 rows)

This morning's malware is largely undetected:

A VirusTotal Report shows 6 of 43 AV products know that this is a virus.

I have to praise Microsoft for being the only one of the six to correctly call this Zeus (Zbot).

Email subjects we've seen on this morning's campaign:

count | subject
-------+-------------------------------------------------------------------
38 | Change Confirmation
4 | Does your company is registered outstanding tax debt
5 | Does your company is registered tax debt
1 | Does your enterprise including unpaid tax debts
1 | Does your enterprise listed outstanding tax debts
1 | Does your enterprise listed unpaid tax debts
30 | Federal Tax payment rejected
1 | For your company including unpaid tax debts
1 | For your company is registered outstanding tax debts
1 | For your company is registered tax debts
1 | For your company is registered unpaid tax debt
1 | For your company listed tax debts
2 | For your enterprise listed tax debt
70 | Internal Revenue Service
24 | Internal Revenue Service (IRS)
19 | Internal Revenue Service United States Department of the Treasury
32 | IRS.gov
31 | IRS.gov US
19 | Notice of Underreported Income
35 | Payment IRS.gov
50 | Support IRS.gov
40 | Treasury Inspector General for Tax Administration
42 | U.S. Department of the Treasury
1 | Your company including outstanding tax debts
1 | Your company including tax debts
1 | Your company listed outstanding tax debt
2 | Your company listed tax debts
1 | Your enterprise including outstanding tax debts
2 | Your enterprise is registered unpaid tax debts
1 | Your enterprise listed outstanding tax debt
1 | Your enterprise listed unpaid tax debt
39 | Your IRS payment rejected
(32 rows)


A mix and match of sender name, sender-username, and sender-domain creates the from addresses:

count | sender_name
-------+---------------------------------------------------------------------
19 | "Internal Revenue Service"
18 | "Internal Revenue Service (IRS)"
27 | "Internal Revenue Service (IRS.gov)"
29 | "Internal Revenue Service United States Department of the Treasury"
23 | "Internal Revenue Service US Department of the Treasury"
29 | "IRS.gov"
18 | "IRS.gov United States Department of the Treasury"
30 | "IRS.gov US"
22 | "IRS.gov US Department of the Treasury"
21 | "IRS United States Department of the Treasury"
41 | "Payment IRS.gov"
37 | "Support IRS.gov"
23 | "The Consumer Financial Protection"
37 | "Treasury Inspector General for Tax Administration"
30 | "United States Department of the Treasury"
19 | "U.S. Department of the Treasury"
23 | "US_IRS"
17 | "USIRS"
35 | "US IRS.gov"


count | sender_username
-------+--------------------------
12 | admin
8 | adminnistration
9 | alerts
16 | cunsumer
29 | delivery
15 | e-file
10 | finance
33 | frboard-webannouncements
36 | govdelivery
26 | info
17 | information
14 | inspector
8 | internal_revenue_service
30 | Internal_Revenue_Service
18 | irs
6 | news
14 | news-alerts
8 | no-reply
28 | privacy_policy
22 | protection
5 | public
5 | report
9 | service
17 | stats
22 | subscriber
12 | subscriptions
13 | support
13 | usirc
14 | USIRS
13 | usttb
16 | webannouncements
(31 rows)

count | sender_domain
-------+-------------------
93 | antifraud.irs.gov
73 | info.irs.gov
78 | irs.gov
91 | irs.security.gov
73 | irs.taxes.gov
90 | service.irs.gov
(6 rows)