I've received reports of suspicious emails claiming to be from the IRS. It's a common scheme to get a user to click and run an executable.
It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but I can't share the details yet. If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)
If you want to check out your own logs in the meantime, I'd suggest looking for domains that look like www.irs.gov.<stuff> and downloaded executables with the word "tax" in them.
For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.
Mar 25th 2010
7 years ago