Zeus Trojan Proliferating via ‘Drive-by Download’ Method
Security researchers at CA (a vendor for IT management software and solutions) have said that the infamous Trojan Zeus that steals information is presently proliferating through drive-by download. People responsible for Zeus, or Zbot, have started circulating spam mails purporting to be from IRS (Internal Revenue Service) the US tax agency.
The spam mail states that following the last yearly calculations of the recipient's financial transactions, the IRS has determined that the user is entitled for a $760.22 tax reimbursement as per the Internal Revenue Code section 501C (18). It then requests the recipient to fill in the Tax Refund Request Form to be processed within 3-9 days. The e-mail further adds that the form is available from a web-link embedded in the e-mail.
However, on clicking the link, users land on a website which results in drive-by download, implying that end-users themselves needn't act for becoming infected, according to Don DeBolt, Director of Threat Research at CA, as reported by SCMagazine on November 30, 2009.
Giving more detail, Mary Grace, Research Engineer at the Internet Security Business Unit of CA, blogged that if the "Tax Refund Request Form" was clicked, one would find a blank browser window where nothing was visible, but actually a malware program downloaded and installed Win32/Zbot, as reported by CA Community on November 27, 2009.
Meanwhile, substantiating the fraudulent nature of the e-mails, IRS stated that it didn't send uninvited e-mails to citizens regarding accounts where they submitted their taxes. Therefore, if anyone got such a message apparently from the IRS, then he must neither click any given web-link nor view any attachment.
Notably, IRS has been a repeated subject of Zeus's attacks. During September 2009, security researchers in the research team of UAB's Computer Forensics said that a phony e-mail posing as a message from IRS stated that in connection with "Unreported/Underreported Income" apparently detected by the IRS' 'Fraud Application,' the recipient must access an Internet site to examine the problem.
Consequently, the CA specialists suggest end-users to remain vigilant about e-mails of these types and to regularly ensure that they have their security programs up-to-date.
Related article: Zeus Trojan Stole Huge Amount of Information
» SPAMfighter News - 11-12-2009