copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2011.0077 - ALERT [Win][UNIX/Linux] Fake emails from ATO and ABR linking to malicious websites

Date: 15 September 2011
References: ESB-2010.0313.2  ESB-2010.0452  ASB-2010.0168  ASB-2011.0109  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0077
        Fake emails from ATO and ABR linking to malicious websites
                             15 September 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Fake emails linking to malicious websites
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2010-0840 CVE-2010-1885 
Member content until: Saturday, October 15 2011
Reference:            ASB-2010.0168
                      ESB-2010.0452
                      ESB-2010.0313.2

Comment: Currently none of the australian-business.com style domains have been
         deregistered, the secondary sites are all still up, and the malware
         has a very low detection rate.

OVERVIEW

        Fake emails pretending to come from either the ATO (Australian
        Taxation Office) or the ABR (Australian Business Register) are being
        widely circulated. These emails are lures to websites containing
        malware. 


IMPACT

        AusCERT has received well over 100 of these fake emails in the last day. 

        The following "From:" addresses have been seen in the spam emails:

           admin@ato.gov.au
           donotreply@ato.gov.au
           info@ato.gov.au
           information@ato.gov.au
           no-reply@ato.gov.au
           rules@ato.gov.au
           subscribe@ato.gov.au
           admin@abr.gov.au
           donotreply@abr.gov.au
           info@abr.gov.au
           information@abr.gov.au
           no-reply@abr.gov.au
           rules@abr.gov.au
           subscribe@abr.gov.au

        The following three email formats have been used:

        -------------------------------------------------
        Subject: Australian Taxation Office   New rules

           Australian Taxation Office informs you about the changes in the rules
           of submitting tax report.
           Please, read about the changes to Click Here.
           Important to know
           We do not offer cashier services for tax payments or refunds.
           For further information on how to pay your taxes, see How to pay.
           (http://www.ato.gov.au/content.asp?doc=/content/33696.htm)
           We are kindly asking you to keep to rules and terms of tax report
           submission to avoid penalty.
           Best regards,
           Andrew Nichols
           Australian Taxation Office
        -------------------------------------------------
        Subject: Attention for the ABN owners

           Australian Taxation Office together with Australian Business Register
           wants to inform you that starting from January, 1 2012 new rules of use
           of ABN number are being introduced.
           The changes will concern:
           - GST credits;
           - Australian domain names registration
           More detailed information about the coming changes in the rules you can
           find HERE.
           Australian Business Register
           www.abr.gov.au
        -------------------------------------------------
        Subject: Attention to all holders of TFN \ Business name

           From November 1, 2011 new rules of submitting tax returns will be
           introduced.
           See the full list of changes with explanations HERE.
           The information requested in these applications is authorised by one or
           more of the following Acts:
           - A New Tax System (Australian Business Number) Act 1999
           - Income Tax Assessment Act 1936
           - A New Tax System (Goods and Services Tax) Act 1999
           - A New Tax System (Wine Equalisation Tax) Act 1999
           - A New Tax System (Luxury Car Tax) Act 1999
           - Fuel Tax Act 2006
           - Fringe Benefits Tax Assessment Act 1986
           - Taxation Administration Act 1953
           - Superannuation Industry (Supervision) Act 1993
           The information will help us to administer those Acts and the taxation
           law.
           Very Important information about your Business Name, go to the
           following link
           Australian Business Register
        -------------------------------------------------

        The emails all contain a link directing users who click on it to one of
        the following domains/web sites which all (currently) point to the same
        IP address of 67.195.140.36:

           australian-businesssite-4u .com
           australianbusinesssite-au .com
           australian-businesssite .com
           australian-businesssite-f .com
           australianbusiness-store .com
           australian-bussines-opps .com
           australianbussiness-today .com
           australianbussinesstuff .com
           day-australianbussiness .com
           getaustralian-bussines .com
           go-australianbussines .com
           great-australianbussines.com
           greataustralian-bussines .com

        All 13 of these domains/web sites contain an iframe pointing to one of
        the following two URL's (both domains are currently pointing to an IP
        address of 88.198.76.173):

           hxxp://jj-unp-lanka .com/main.php?page=3d0ac5a298f528ea
           hxxp://jj-unp-group .com/main.php?page=60b8b4d7f98dc0cf

        These two domains/websites contain or link to various exploits and
        malware. The exploit code on the two sites differs depending on what
        user agent you vitit them with, but seems to exploit CVE-2010-1885.
        Each site contains the following:
           1) /content/worms.jar
           2) /g.php?f=25&e=6
           3) /content/2fdp.php?f=25
           4) a link to hxxp://australianbusinesssite .com/updateTax15sept.pdf.exe

        File number 1 is a Java exploit (CVE-2010-0840) that is currently detected
        by 4 out of the 44 VirusTotal AV products [1].
        
        File number 2 is a Windows executable file detected a Zbot/Zeus by 6 AV
        products on VirusTotal. [2] The numbers used for the "f" and "e"
        variables does not seem to matter.
        
        File number 3 is a PDF file that is detected by 7 AV products on
        VirusTotal. [3] The number used for the "f" variable does not
        seem to matter.
        
        File number 4 above is also Zbot/Zeus malware, but is detected by 18
        AV products on VirusTotal. [4]


MITIGATION

        Possibilities for mitigation include:
        
        Using filtering at mail gateways to block on key phrases or email
        addresses from the details above.
        
        Using web filtering to block domains and IP addresses associated with
        this attack.
        
        Monitor connections to the domains and IP's listed above, as this may
        indicate the presence of infected machines. AusCERT provides a
        blacklist feed of malware sites to members which may help with achieving
        this. [5]
        
        Inform and educate end user on this form of attack.
        
        Ensure anti-virus signatures are being kept up to date. While
        detection rates are currently low, new signatures that detect
        this trojan should be available soon.
        
        Ensure Java and PDF viewer software is kept up-to-date (along with
        web browser and other software as well as the base OS).


REFERENCES

        [1] File name: worms.jar
            http://www.virustotal.com/file-scan/report.html?id=0cc9585aec1e96f9dcc59d3ab56c36c338af2bf307d1421705411faf3823f1ca-1316029503

        [2] File name: 3a9ea770e4aa82f93b51a9b12cb2ecd8
            http://www.virustotal.com/file-scan/report.html?id=e3362ae52b6ae35d6095a8e0ed1d2ca9bc0c7844748d26ccc32f1a20d7abd935-1316045407

        [3] File name: PDF.pdf
            http://www.virustotal.com/file-scan/report.html?id=746fba8910d9b7667b96c986ecc47cf72b0a068e286f445d0797e08c97463995-1316057422

        [4] File name: 1013523
            http://www.virustotal.com/file-scan/report.html?id=44ab9f1380c6728ff78ec1997c5a5df89c0a87b7314b1ee6882e4198be622f72-1316030775

        [5] AusCERT XML Feed
            https://www.auscert.org.au/9123

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTnGFRO4yVqjM2NGpAQK6qg//R5EXUT8yF38I2zQSwOKgWPT+O1AFu8EA
yvgOCJPgbhUI6OhnipDZcmbkaerb910q0do3c4mVvDpAcpHW9H8y/nQDHTsQfLv/
DeuXASKfKr36jGNHt2QNTpuFA+gmiFERNdcFg/VFWOFPdmcIYcXgTiP8iMc8CthD
cZa5q1cFTD6RdeuccrktQUwiSk3FMTYNh/pHCT+pFvlr8usCXNTRF3++L+Dr9vcY
rGfwGqhKLZFGQdN+kecZ5D7dRrVo5vOizo7+JI19bY/h1PJ4NBRLa4j57kpAWlNL
xp5ugulWJns89iza8EI9frhvmpOxBS18mu//5D91jiWTg+nFKGAgclZ2AwwNEyFy
R0VO+LbwSggyiIFKcyJnv65JTRF/CB7fKPxNxpDYZRmnMx2BMvz4FAzJLD9Ny8nl
liMqNMkB+IrNoNgjeTD+tAu0iPPbd4hoAj1zNNf02fwo5YF3h2BoUDS9tRwUqai2
BMT7p5JvFhIvCPbAlo1apkaw9rsSIAlsHzOCY68tzf2ofTy5qEdS/57mTrD0cCki
uhUPMaysKfA9LOrUAtetMGQxE0XKKNgWuFqhGVwlRz0/dLvS7wkKwbNkEQZmHMH9
Cl9HpHumG7LNG5eYG+JKtFOBismx5caP6bahXL9Tx76OOH0FGQI/quRiL96fY39t
PSau5kVsmpE=
=T2km
-----END PGP SIGNATURE-----