Beware the ides of April
- By William Jackson
- Apr 01, 2010
Okay, the ides of April actually is the 13th of the month, not the 15th, but the warning still applies. US-CERT reports an increased number of phishing scams and malware campaigns taking advantage of the tax season, which peaks on April 15.
The malware is delivered through a variety of e-mail messages -- some refer to a tax refund, others warn about unreported or under-reported income, offering to assist in filing for a refund, or claiming to have details about fake e-file websites, according to US-CERT. “These messages, which appear to be from the IRS, may ask users to submit personal information via email or may instruct the user to follow a link to a website that requests personal information or contains malicious code.”
One active campaign is using the Trojan variously known as Zeus, Zbot, W/32/Zbot or Win32.Zbot, which can install spy programs and keyloggers on compromised computers. It typically looks for financial and banking information and can even serve up fake Web pages or inject additional fields into the victim’s real online banking log-in page to steal additional information. It uploads the stolen data to a server.
It should go without saying that the IRS does not contact taxpayers via e-mail and does not solicit information online, and in April -- as in every other month -- the basic rules about avoiding malware apply: Do not click on unsolicited links and do not respond to online requests for personal or financial information.
And, speaking of April, one year after the supposed trigger date of the Conficker worm, the long-lived botnet still is out there. April 1, 2009, proved to be pretty much of a bust when the sleeping bots were not activated, but Symantec’s Vincent Weafer says about 6.5 million systems still are infected with the malicious code.
Have agencies scrubbed the Conficker worm from their systems?
IRS wins somes, loses a few in the fight against identity theft and data loss
“Thus far, the machines still infected with Downadup/Conficker have not been utilized for any significant criminal activity, but with an army of nearly 6.5 million computers strong, the threat remains a viable one,” Weafer said.
He speculated that the botnet might have gotten too high of a profile for comfort. “While these infected computers remain wide open to further attack, they are monitored closely by law enforcement and members of the Conficker Working Group,” he said. “Too much attention is often a turn-off and will likely prevent them from further playing out their original criminal plans.”
One other bit of positive news about Conficker is that the .C variant, which used peer-to-peer connections to propagate itself, appears to be dying out. The number of infections has dropped from a high of about 1.5 million in April 2009 to a little more than 200,000 today.
A company that has been tracking Conficker scanning activity reported last month that traffic from infected government systems had dropped off significantly in recent months, which could indicate a successful effort to remediate infections.
Rodney Joffe, senior vice president and technologist at Neustar Inc., a directory services provider that administers the domain name registry for the .US country code top level domain for the Commerce Department, said Conficker traffic from government systems has decreased significantly in recent months. The number of infected government systems appears to have dropped from the tens of thousands to fewer than 100.
Joffe also is director of the Conficker Working Group.
William Jackson is freelance writer and the author of the CyberEye blog.