Zeus spreading through drive-by download

By on

Uses fake tax return scam.

The notorious information-stealing Zeus trojan is currently spreading via drive-by download, said security researchers at IT management software and solutions vendor CA.

Those behind Zeus, or Zbot, recently began circulating spam claiming to come from the US government's Internal Revenue Service (IRS), requesting users submit a “tax refund request form” by clicking on a link that is provided. 

Clicking takes victims to a website that attempts to perform a drive-by download, meaning users do not need to take any further action to be infected, Don DeBolt, director of threat research at CA, told SCMagazineUS.com.

If clicked, the link loads a browser window that looks blank, but in the background is attempting to download malicious code and install a variant of Zeus, according to Mary Grace Gabriel, research engineer at CA's Internet Security Business Unit.

The malicious website contains an IFRAME that points to another website containing obfuscated JavaScript code that points to yet another page where a PDF file attempts to exploit a known vulnerability in Adobe Reader to download and execute a Zeus variant.

Previous spam campaigns that spread Zeus did not utilise the drive-by download technique, but instead asked users to manually download and execute various reports, tools or statements seemingly coming from MySpace, Facebook, the IRS, Microsoft, the US Social Security Administration and Verizon Wireless.

“The people behind this threat are constantly refreshing their tactics,” DeBolt said.

The spam messages used in this latest campaign use subject lines related to IRS refunds. The body of the email reads: “After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 760.22$ tax refund under section 501© (18) of the Internal Revenue Code.”

The IRS recently posted a notice, warning users about phony e-mail claiming to come from the institution.

“The IRS does not send unsolicited e-mails to taxpayers about their tax accounts,” the agency said. “Anyone who receives an unsolicited e-mail claiming to come from the IRS should avoid opening any attachments or clicking on any links.”

See original article on scmagazineus.com

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?