Fake IRS Notice – New ZBot variant (Oct 09, 2009)


SonicWALL UTM Research team observed a new wave of the Fake IRS notice campaign during the last three days.

The email pretends to arrive from an irs.gov e-mail address and contains a URL to IRS notice for unreported income. If the user clicks on this URL, it leads to the download of new ZBot Trojan variant.

The e-mail looks like:

Subject: Notice of Underreported Income

Email Body:
Taxpayer ID: [email handle-(14 digit random number)US] Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)

Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: [email handle-(14 digit random number)US] (<-- Malicious URL)

Internal Revenue Service

The e-mail message looks like below:


The site that opens up when user clicks on the URL inside the e-mail is shown below:


As seen in the screenshot the malicious site prompts the user to download and execute the IRS notice which in reality is the malware executable file as seen here:


The new ZBot variant performs following activities upon execution:

  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe
    • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”
  • It tries to connect to a predetermined IP address on HTTP port and sends following GET requests:
    • http://195.93.208(REMOVED)livs/rec.php
    • http://195.93.208(REMOVED)lcc/ip1.gif
    • http://195.93.208(REMOVED)ip.php

The Trojan is also known as trojan Trojan-Spy.Win32.Zbot [IKarus] and Trojan-Spy.Win32.Zbot.gen [Kaspersky].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.GEN_84 (Trojan) and GAV: Zbot.GEN_85 (Trojan) signatures.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.