Date: 15 September 2011
References: ESB-2010.0313.2 ESB-2010.0452 ASB-2010.0168 ASB-2011.0109
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2011.0077
Fake emails from ATO and ABR linking to malicious websites
15 September 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Fake emails linking to malicious websites
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2010-0840 CVE-2010-1885
Member content until: Saturday, October 15 2011
Reference: ASB-2010.0168
ESB-2010.0452
ESB-2010.0313.2
Comment: Currently none of the australian-business.com style domains have been
deregistered, the secondary sites are all still up, and the malware
has a very low detection rate.
OVERVIEW
Fake emails pretending to come from either the ATO (Australian
Taxation Office) or the ABR (Australian Business Register) are being
widely circulated. These emails are lures to websites containing
malware.
IMPACT
AusCERT has received well over 100 of these fake emails in the last day.
The following "From:" addresses have been seen in the spam emails:
admin@ato.gov.au
donotreply@ato.gov.au
info@ato.gov.au
information@ato.gov.au
no-reply@ato.gov.au
rules@ato.gov.au
subscribe@ato.gov.au
admin@abr.gov.au
donotreply@abr.gov.au
info@abr.gov.au
information@abr.gov.au
no-reply@abr.gov.au
rules@abr.gov.au
subscribe@abr.gov.au
The following three email formats have been used:
-------------------------------------------------
Subject: Australian Taxation Office New rules
Australian Taxation Office informs you about the changes in the rules
of submitting tax report.
Please, read about the changes to Click Here.
Important to know
We do not offer cashier services for tax payments or refunds.
For further information on how to pay your taxes, see How to pay.
(http://www.ato.gov.au/content.asp?doc=/content/33696.htm)
We are kindly asking you to keep to rules and terms of tax report
submission to avoid penalty.
Best regards,
Andrew Nichols
Australian Taxation Office
-------------------------------------------------
Subject: Attention for the ABN owners
Australian Taxation Office together with Australian Business Register
wants to inform you that starting from January, 1 2012 new rules of use
of ABN number are being introduced.
The changes will concern:
- GST credits;
- Australian domain names registration
More detailed information about the coming changes in the rules you can
find HERE.
Australian Business Register
www.abr.gov.au
-------------------------------------------------
Subject: Attention to all holders of TFN \ Business name
From November 1, 2011 new rules of submitting tax returns will be
introduced.
See the full list of changes with explanations HERE.
The information requested in these applications is authorised by one or
more of the following Acts:
- A New Tax System (Australian Business Number) Act 1999
- Income Tax Assessment Act 1936
- A New Tax System (Goods and Services Tax) Act 1999
- A New Tax System (Wine Equalisation Tax) Act 1999
- A New Tax System (Luxury Car Tax) Act 1999
- Fuel Tax Act 2006
- Fringe Benefits Tax Assessment Act 1986
- Taxation Administration Act 1953
- Superannuation Industry (Supervision) Act 1993
The information will help us to administer those Acts and the taxation
law.
Very Important information about your Business Name, go to the
following link
Australian Business Register
-------------------------------------------------
The emails all contain a link directing users who click on it to one of
the following domains/web sites which all (currently) point to the same
IP address of 67.195.140.36:
australian-businesssite-4u .com
australianbusinesssite-au .com
australian-businesssite .com
australian-businesssite-f .com
australianbusiness-store .com
australian-bussines-opps .com
australianbussiness-today .com
australianbussinesstuff .com
day-australianbussiness .com
getaustralian-bussines .com
go-australianbussines .com
great-australianbussines.com
greataustralian-bussines .com
All 13 of these domains/web sites contain an iframe pointing to one of
the following two URL's (both domains are currently pointing to an IP
address of 88.198.76.173):
hxxp://jj-unp-lanka .com/main.php?page=3d0ac5a298f528ea
hxxp://jj-unp-group .com/main.php?page=60b8b4d7f98dc0cf
These two domains/websites contain or link to various exploits and
malware. The exploit code on the two sites differs depending on what
user agent you vitit them with, but seems to exploit CVE-2010-1885.
Each site contains the following:
1) /content/worms.jar
2) /g.php?f=25&e=6
3) /content/2fdp.php?f=25
4) a link to hxxp://australianbusinesssite .com/updateTax15sept.pdf.exe
File number 1 is a Java exploit (CVE-2010-0840) that is currently detected
by 4 out of the 44 VirusTotal AV products [1].
File number 2 is a Windows executable file detected a Zbot/Zeus by 6 AV
products on VirusTotal. [2] The numbers used for the "f" and "e"
variables does not seem to matter.
File number 3 is a PDF file that is detected by 7 AV products on
VirusTotal. [3] The number used for the "f" variable does not
seem to matter.
File number 4 above is also Zbot/Zeus malware, but is detected by 18
AV products on VirusTotal. [4]
MITIGATION
Possibilities for mitigation include:
Using filtering at mail gateways to block on key phrases or email
addresses from the details above.
Using web filtering to block domains and IP addresses associated with
this attack.
Monitor connections to the domains and IP's listed above, as this may
indicate the presence of infected machines. AusCERT provides a
blacklist feed of malware sites to members which may help with achieving
this. [5]
Inform and educate end user on this form of attack.
Ensure anti-virus signatures are being kept up to date. While
detection rates are currently low, new signatures that detect
this trojan should be available soon.
Ensure Java and PDF viewer software is kept up-to-date (along with
web browser and other software as well as the base OS).
REFERENCES
[1] File name: worms.jar
http://www.virustotal.com/file-scan/report.html?id=0cc9585aec1e96f9dcc59d3ab56c36c338af2bf307d1421705411faf3823f1ca-1316029503
[2] File name: 3a9ea770e4aa82f93b51a9b12cb2ecd8
http://www.virustotal.com/file-scan/report.html?id=e3362ae52b6ae35d6095a8e0ed1d2ca9bc0c7844748d26ccc32f1a20d7abd935-1316045407
[3] File name: PDF.pdf
http://www.virustotal.com/file-scan/report.html?id=746fba8910d9b7667b96c986ecc47cf72b0a068e286f445d0797e08c97463995-1316057422
[4] File name: 1013523
http://www.virustotal.com/file-scan/report.html?id=44ab9f1380c6728ff78ec1997c5a5df89c0a87b7314b1ee6882e4198be622f72-1316030775
[5] AusCERT XML Feed
https://www.auscert.org.au/9123
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTnGFRO4yVqjM2NGpAQK6qg//R5EXUT8yF38I2zQSwOKgWPT+O1AFu8EA
yvgOCJPgbhUI6OhnipDZcmbkaerb910q0do3c4mVvDpAcpHW9H8y/nQDHTsQfLv/
DeuXASKfKr36jGNHt2QNTpuFA+gmiFERNdcFg/VFWOFPdmcIYcXgTiP8iMc8CthD
cZa5q1cFTD6RdeuccrktQUwiSk3FMTYNh/pHCT+pFvlr8usCXNTRF3++L+Dr9vcY
rGfwGqhKLZFGQdN+kecZ5D7dRrVo5vOizo7+JI19bY/h1PJ4NBRLa4j57kpAWlNL
xp5ugulWJns89iza8EI9frhvmpOxBS18mu//5D91jiWTg+nFKGAgclZ2AwwNEyFy
R0VO+LbwSggyiIFKcyJnv65JTRF/CB7fKPxNxpDYZRmnMx2BMvz4FAzJLD9Ny8nl
liMqNMkB+IrNoNgjeTD+tAu0iPPbd4hoAj1zNNf02fwo5YF3h2BoUDS9tRwUqai2
BMT7p5JvFhIvCPbAlo1apkaw9rsSIAlsHzOCY68tzf2ofTy5qEdS/57mTrD0cCki
uhUPMaysKfA9LOrUAtetMGQxE0XKKNgWuFqhGVwlRz0/dLvS7wkKwbNkEQZmHMH9
Cl9HpHumG7LNG5eYG+JKtFOBismx5caP6bahXL9Tx76OOH0FGQI/quRiL96fY39t
PSau5kVsmpE=
=T2km
-----END PGP SIGNATURE-----
|