Cutwail botnet spamming 'IRS unreported income' themed malware

Cutwail botnet spamming 'IRS unreported income' themed malware

Summary: Researchers from MX Logic -- now part of McAfee -- have intercepted a new malware campaign spammed by the Pushdo/Cutwail botnet, that's using an 'IRS unreported income' notices in an attempt to trick the recipients into downloading a tax-statement.exe executable.

SHARE:

Researchers from MX Logic -- now part of McAfee -- have intercepted a new malware campaign spammed by the Pushdo/Cutwail botnet, that's using an 'IRS unreported income' notices in an attempt to trick the recipients into downloading a tax-statement.exe executable.

The Pushdo/Cutwail botnet remains among the most aggressively spamming cybercrime platforms, with the latest campaign traffic averaging about 90,000 emails per hour according to the company.

The latest campaign is dynamically including the recipient's email within the page, as well as the user name within the executable link in an attempt to establish authenticity, using the following URL structure - irs.gov.hyu11hep .eu/fraud_application/directory/statement.php. Upon execution, the executable (Trojan-Spy.Win32.Zbot.gen) downloads more malicious content from known crimeware command and control servers.

Pushdo/Cutwail was among the botnets whose operations were briefly disrupted in June, 2009's shutdown of the rogue ISP 3FN/Pricewert, resulting in a short-lived 15% drop in spam volume coming from it.

Topics: Malware, Collaboration, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Additional URL used in similar emails

    http://www.irs.gov.mdtsrv.me/fraud_application/directory/statement.php?email=emailaddress&tid=supposed-taxpayer-ID

    This one was just received today (9/16)
    michaelbreton
  • RE: Cutwail botnet spamming 'IRS unreported income' themed malware

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut