A few days ago our good friends at SANS posted an entry in their diaryabout a possible IRS scam about to happen. Well, it happened. We wereable to acquire a copy of the spammed email and analyze the maliciousbehavior—we believed that the email itself had to be included in ouranalysis.
The email was very detailed and included the recipient’s completename with a message, allegedly from the Internal Revenue Service (IRS).The spammed email talked about some supposed IRS e-File issues andasked the email recipient to download and print the correct PDF fileusing a link. As you might have guessed, the link wasn't to a sitehosted by the real IRS.
Here is a picture of what the email looked like (click for a larger image):
The link connected to a site hosted in Italy and downloaded an .scrfile. This file was already detected by Symantec products as Trojan.Goldun.M.The Trojan in turn downloaded three more components from various sites.The first two components were Trojans that were responsible forstealing personal information from the compromised computer. The thirdcomponent was really the most interesting component—it was a customApache Web server. Yes, the Trojan downloaded a custom Web server.
This Web server acted as a proxy between the compromised computerand legitimate sites used by people all across the globe. When a useropened a browser on the compromised computer and tried to visit a site,the Trojan matched the site with a set of known target domains and if amatch was found, it would proxy the requests through the local Apacheserver to the destination. The Apache configuration files included alist of known legitimate IP addresses for specific domains. So, theTrojan knew who to contact when it needed to relay requests being madeto its list of targeted domains.
Once the Trojan started relaying information, it was able to extractpersonal information from the relayed information and store it. Thestolen data was then routed to a MySQL server set up on a remote site.At the time of our analysis, the MySQL server was unavailable.
We have already contacted the companies whose users were targeted bythis Trojan and made them aware of this attack. Symantec customers withupdated definitions were not affected by this threat.
If anyone suspects that they might have been affected, we encouragethem to notify the responsible authorities and change their personalinformation.