September 10th, 2009
Cutwail botnet spamming 'IRS unreported income' themed malware
Researchers from MX Logic — now part of McAfee — have intercepted a new malware campaign spammed by the Pushdo/Cutwail botnet, that’s using an ‘IRS unreported income‘ notices in an attempt to trick the recipients into downloading a tax-statement.exe executable.
The Pushdo/Cutwail botnet remains among the most aggressively spamming cybercrime platforms, with the latest campaign traffic averaging about 90,000 emails per hour according to the company.
The latest campaign is dynamically including the recipient’s email within the page, as well as the user name within the executable link in an attempt to establish authenticity, using the following URL structure - irs.gov.hyu11hep .eu/fraud_application/directory/statement.php. Upon execution, the executable (Trojan-Spy.Win32.Zbot.gen) downloads more malicious content from known crimeware command and control servers.
Pushdo/Cutwail was among the botnets whose operations were briefly disrupted in June, 2009’s shutdown of the rogue ISP 3FN/Pricewert, resulting in a short-lived 15% drop in spam volume coming from it.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
