Date: 15 September 2011
References: ESB-2010.0313.2 ESB-2010.0452 ASB-2010.0168 ASB-2011.0109
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Fake emails from ATO and ABR linking to malicious websites
15 September 2011
AusCERT Security Bulletin Summary
Product: Fake emails linking to malicious websites
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
CVE Names: CVE-2010-0840 CVE-2010-1885
Member content until: Saturday, October 15 2011
Comment: Currently none of the australian-business.com style domains have been
deregistered, the secondary sites are all still up, and the malware
has a very low detection rate.
Fake emails pretending to come from either the ATO (Australian
Taxation Office) or the ABR (Australian Business Register) are being
widely circulated. These emails are lures to websites containing
AusCERT has received well over 100 of these fake emails in the last day.
The following "From:" addresses have been seen in the spam emails:
The following three email formats have been used:
Subject: Australian Taxation Office New rules
Australian Taxation Office informs you about the changes in the rules
of submitting tax report.
Please, read about the changes to Click Here.
Important to know
We do not offer cashier services for tax payments or refunds.
For further information on how to pay your taxes, see How to pay.
We are kindly asking you to keep to rules and terms of tax report
submission to avoid penalty.
Australian Taxation Office
Subject: Attention for the ABN owners
Australian Taxation Office together with Australian Business Register
wants to inform you that starting from January, 1 2012 new rules of use
of ABN number are being introduced.
The changes will concern:
- GST credits;
- Australian domain names registration
More detailed information about the coming changes in the rules you can
Australian Business Register
Subject: Attention to all holders of TFN \ Business name
From November 1, 2011 new rules of submitting tax returns will be
See the full list of changes with explanations HERE.
The information requested in these applications is authorised by one or
more of the following Acts:
- A New Tax System (Australian Business Number) Act 1999
- Income Tax Assessment Act 1936
- A New Tax System (Goods and Services Tax) Act 1999
- A New Tax System (Wine Equalisation Tax) Act 1999
- A New Tax System (Luxury Car Tax) Act 1999
- Fuel Tax Act 2006
- Fringe Benefits Tax Assessment Act 1986
- Taxation Administration Act 1953
- Superannuation Industry (Supervision) Act 1993
The information will help us to administer those Acts and the taxation
Very Important information about your Business Name, go to the
Australian Business Register
The emails all contain a link directing users who click on it to one of
the following domains/web sites which all (currently) point to the same
IP address of 220.127.116.11:
All 13 of these domains/web sites contain an iframe pointing to one of
the following two URL's (both domains are currently pointing to an IP
address of 18.104.22.168):
These two domains/websites contain or link to various exploits and
malware. The exploit code on the two sites differs depending on what
user agent you vitit them with, but seems to exploit CVE-2010-1885.
Each site contains the following:
4) a link to hxxp://australianbusinesssite .com/updateTax15sept.pdf.exe
File number 1 is a Java exploit (CVE-2010-0840) that is currently detected
by 4 out of the 44 VirusTotal AV products .
File number 2 is a Windows executable file detected a Zbot/Zeus by 6 AV
products on VirusTotal.  The numbers used for the "f" and "e"
variables does not seem to matter.
File number 3 is a PDF file that is detected by 7 AV products on
VirusTotal.  The number used for the "f" variable does not
seem to matter.
File number 4 above is also Zbot/Zeus malware, but is detected by 18
AV products on VirusTotal. 
Possibilities for mitigation include:
Using filtering at mail gateways to block on key phrases or email
addresses from the details above.
Using web filtering to block domains and IP addresses associated with
Monitor connections to the domains and IP's listed above, as this may
indicate the presence of infected machines. AusCERT provides a
blacklist feed of malware sites to members which may help with achieving
Inform and educate end user on this form of attack.
Ensure anti-virus signatures are being kept up to date. While
detection rates are currently low, new signatures that detect
this trojan should be available soon.
Ensure Java and PDF viewer software is kept up-to-date (along with
web browser and other software as well as the base OS).
 File name: worms.jar
 File name: 3a9ea770e4aa82f93b51a9b12cb2ecd8
 File name: PDF.pdf
 File name: 1013523
 AusCERT XML Feed
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----