Faux Emails Push Virus Variant

Friday, July 29, 2011 @ 02:07 PM gHale


Fake IRS emails are hitting the cyber streets that direct viewers to a new variant of the LICAT file infecting virus.

LICAT is a piece of malware associated with the ZeuS banking Trojan that first appeared back in October 2010. LICAT is a distribution and update mechanism for ZeuS, said security researchers from Trend Micro.

RELATED STORIES
Smart Trojan Hides as Java Update
Sites Face New ZeuS Attack
Attacks Anytime; Govt. Contractors Hit
Web Sites to Find if You’re a Target

The virus appends its rogue code to legitimate EXE, DLL and HTML files. Each time one of the infected files executes, a list of URLs generates according to a predefined algorithm similar to the one used by Conficker.

The ZeuS Trojan normally updates itself from a list of predefined command and control servers. Losing control of these domain names usually means losing control of the entire botnet.

LICAT adds a redundancy mechanism. It tries to access all of the generated URLs and downloads a new ZeuS version if it finds one.

If they lose control of their C&C domains, the attackers can register a domain they know LICAT will generate in advance and upload their new version there. At that point it is just a waiting game.

The rogue emails detected by Trend Micro come from “Payment IRS.gov” and bear a subject of “Internal Revenue Service United States Department of the Treasury.”

The message in the email body claims the recipient is guilty of tax fraud and instructs them to inspect their tax statement on the IRS website by clicking on a link. Clicking on the link prompts them to download the new LICAT variant, detected by Trend Micro products as TSPY_ZBOT.WHZ.

Trend Micro malware experts believe LICAT is the creation of fraudsters with access to the ZeuS Trojan source code. “Uploaded LICAT-related binaries on ZeuS Tracker suggest that LICAT variants are indeed coming from a specific criminal cybergang. Most samples appear to have similar resources (file version information),” said Trend Micro engineer Jasper Manuel.



Leave a Reply

You must be logged in to post a comment.