Notice Of Underreported Taxes: Regenerated

Late Tuesday night and throughout the morning today we have been seeing the latest virus push from the Pushdo bot gang. After spending the past few weeks pushing the fake Facebook update angle, it looks like they have decided to go back to something familiar. They are again using fake Tax Statements alleging to be from the IRS to con you into downloading their Zbot Banking Trojan. These messages are identical to the ones that we were seeing from them back in September. This campaign must have had some success back in September for them to be committing to it again. It starts with a message alerting you that you have “Underreported your Income” and has a link to your “Tax Statement”. Here is what the message looks like:

The link in the message takes you to a fake IRS page, where an executable file awaits you for downloading. The page and file are identical to those from September (they have not bothered to change the file name). At this time there appears to be about fifty different domains that are hosting these malicious web pages and links. The Trojan download awaits you in the “tax-statement.exe”. Here is a look at the payload web page:

As of 10:30am(CST) we have blocked nearly 3 million of these malicious emails. The actual volume of this campaign is exponentially larger since 3 million represents just those [messages] sent to our Hosted Exchange and Spam Filtering customers. At this time we are seeing around 5,100 messages per minute. As I have said before many times, the IRS will NOT attempt to contact you in this manner so do not fall victim to these scams.