There is a large scale spam campaign underway right now in which attackers are using fairly well-crafted emails that appear to come from the IRS to infect victims with the Zeus bot. The attack has been ongoing for a couple of weeks now, and researchers say that although the attackers have taken some precautions to prevent analysis of the sites and malware being used, they also made some key mistakes.
The Zeus-laden fake IRS emails have been making the rounds since mid-June at least and they’re convincing enough to have snared more than a few victims. The subject line typically says something like, “Federal Tax payment rejected” or “Your IRS payment rejected”, and the sender’s address is spoofed to include the irs.gov domain.
The body of the emails often have a couple of spelling and grammatical errors and include a link to a PDF file. That file directs the victim to a download that will drop the Zeus binary on his machine. From there, it’s game over for the user.
But the really interesting part of this specific attack is that the attackers have made a couple of mistakes in setting up their infrastructure. Like many other such attacks, this one relies on URL shorteners in some cases to point users to the malware servers. Typically, attackers will take precautions to prevent the same user from downloading a binary multiple times as a way to stop researchers from collecting samples.
But in this case, if a user puts a special character such as an asterisk or a pound sign at the end of a shortened URL, he’ll be able to download the binary as many times as he likes.
“If you go to the short link with any of the special characters
at the end and even if it’s the same system and it’s fully patched, you
will get the binary again and again. For example, instead of clicking
on http://3cm.kz/example,
just put at the end http://3cm.kz/example+ or http://3cm.kz/example* or
any other and for each new special char you will get the binary. One
special char per one new download,” said Dmitry Bestuzhev, a malware researcher at Kaspersky Lab, in an analysis of the attack.
Zeus is proving to be one of the more venerable and flexible crimeware kits in recent years. It’s been used in dozens and dozens of attacks and has infected millions of machines over that time. The source code for one version of Zeus was leaked recently, leading researchers to predict that more attacks involving the kit would be in the offing as more attackers get access to a tool that was previously out of their reach.