Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: Zeus wants to do your taxes - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Zeus wants to do your taxes

I've received reports of suspicious emails claiming to be from the IRS.  It's a common scheme to get a user to click and run an executable.

It looks like zeus/zbot to me (more on that here: https://zeustracker.abuse.ch/faq.php their cert is a little non-standard,) but I can't share the details yet.  If you've received one of these emails and don't mind sharing the details with our readers, please submit a copy (via: http://isc.sans.org/contact.html)

If you want to check out your own logs in the meantime, I'd suggest looking for domains that look like www.irs.gov.<stuff> and downloaded executables with the word "tax" in them.

For those with enough free-time to try to track the different groups using zeus, this one has an Avalanche feel to it.

Kevin Liston

292 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!