Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.


                       ...
Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.


Trend Micro analysts fo...
Upcoming SlideShare
Loading in …5
×

Web Threat Spotlight: IRS Spam Conceals Backdoor Component (Jan 18, 2010)

3,430 views

Published on

Cybercriminals have already begun abusing the 2010 tax season with spam purporting to be from the IRS. These spam emails contain malicious attachments looking to download malware onto your PC.

Published in: Technology
  • Dont be a victim of Identity Theft. Always contact IRS if you are doubtful. if anyone needs to fill out tax forms, here is a link to the various blank tax forms that you can fill out electronically http://goo.gl/JjiZwR. This site also has some tutorials on how to fill it out.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Web Threat Spotlight: IRS Spam Conceals Backdoor Component (Jan 18, 2010)

  1. 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 55 JANUARY 18, 2010 IRS Spam Conceals Backdoor Component The new tax season has officially begun and spam runs are not far behind. As if keeping tabs with one’s finances is not already a challenge, cybercriminals are making things more difficult. In what has become a tax tradition of sorts, spammed messages purporting to be from the Internal Revenue Service (IRS) are making the inbox rounds yet again. The latest spam attack lives up to the tradition with its timely release and typical email content. Unfortunately, it employs more than the usual phishing tactics. The first IRS-related attack of the year lets cybercriminals in through the back door. The Threat Defined At first glance, the spammed message that Trend Micro analysts found appears rather ordinary. Purportedly from the IRS, it bears the subject “W-2 Form update.” The W-2 form, which states an employee’s annual salary and total tax, has supposedly undergone “important changes” that require the said update. The message body encourages users to open the attachment and includes legitimate URLs and phone numbers that lend credibility to its claim. The email body in itself is harmless enough unlike previous spam runs that included malicious URLs. The real danger lies within the attached .RTF file (Update.doc), which is supposed to be the W-2 form. After opening the .RTF document, users will see what appears to be an embedded .PDF file. In truth, Figure 1. Screenshot of spammed message however, the PDF file is a malicious .EXE file that uses the PDF icon. By simply changing the extension of the malicious file (C_server.exe) into .PDF and the displayed file name to W-2, cybercriminals have set up a rather deceitful attack. When opening the supposed .PDF file, users will receive a prompt asking them if they want to open the embedded object. Clicking Yes will bring up another message, which reveals the true nature of the concealed .EXE file. This should lift the veil of deceit for perceptive users, as the prompt clearly indicates the name of the .EXE file. However, in cases where users run the application, the affected system becomes susceptible to Figure 2. BKDR_POISON.AEL infection diagram a backdoor application attack. The .RTF file is detected by Trend Micro as BKDR_POISON.BQA. Upon execution, the backdoor component of the Darkmoon Remote Administration Tool (RAT) opens a hidden Web browser that attempts to connect to a remote server. However, BKDR_POISON.BQA only connects to an internal IP address as of this writing. 1 of 2 – WEB THREAT SPOTLIGHT
  2. 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. Trend Micro analysts found another sample of the spammed IRS message, which appears to be another version of the previous sample. Detected as BKDR_POISON.AEL, the malicious .EXE file concealed in the .RTF attachment successfully connects to a remote server and grants access to the affected system. Establishing a connection allows a cybercriminal to perform any of the following backdoor routines:  Capture screenshots, webcam transmissions, and audio clips  Delete or search for and upload files  Log keystrokes and active windows  Modify and search for registry entries  Perform a shell command  Send system information (IP address, computer name, user name, OS)  Update/Uninstall malware  View and terminate active windows and ports User Risks and Exposure As previously mentioned, timing is an important factor for IRS-related spam. These messages usually make an appearance when an important IRS deadline is near. The latest attack is no exemption with February 1 just weeks away. A notable difference, however, is that past IRS-related spam attacks have generally been phishing related in nature. They used anything from bogus forms, fake websites, and ZBOT variants to steal personally identifiable records. The data stealing likewise focused on selected information such as bank account and credit card credentials, which cybercriminals use for their own profit. The new attack is different in that it not only facilitates information theft, it also leaves the affected user vulnerable to malicious attacks from a remote user. While there has been an IRS-related attack with a backdoor application for its related malware, the BKDR_POISON malware family has been more commonly seen in vulnerability exploit attacks as of late. Examples include TROJ_PIDIEF.WIA and TROJ_PIDIEF.ABA, which both drop BKDR_POISON variants. As such, the new IRS spam and BKDR_POISON tandem is not a familiar scenario. This could signal a tactical change not just for IRS-related spam but for spammed messages in general. As such, users need to be more vigilant in filtering their email messages, especially if they are using unprotected systems. Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this attack, Smart Protection Network’s email reputation service blocks all emails related to this spam run. File reputation service detects and prevents the download of malicious files detected as BKDR_POISON.BQA and BKDR_POISON.AEL. Web reputation service prevents access to the malicious remote server. The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/bogus-irs-w-2-form-leads-to-malware/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_POISON.BQA http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_POISON.AEL http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.WIA http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.ABA Other related posts are found here: http://blog.trendmicro.com/phishers-hit-multiple-banks-with-one-stone/ http://blog.trendmicro.com/tax-season-is-phishing-season/ http://blog.trendmicro.com/fake-form-w-8ben-used-in-irs-tax-scams/ http://blog.trendmicro.com/social-engineering-watch-another-irs-scam/ 2 of 2 – WEB THREAT SPOTLIGHT

×