copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2011.0077 - ALERT [Win][UNIX/Linux] Fake emails from ATO and ABR linking to malicious websites

Date: 15 September 2011
References: ESB-2010.0313.2  ESB-2010.0452  ASB-2010.0168  ASB-2011.0109  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

        Fake emails from ATO and ABR linking to malicious websites
                             15 September 2011


        AusCERT Security Bulletin Summary

Product:              Fake emails linking to malicious websites
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Mitigation
CVE Names:            CVE-2010-0840 CVE-2010-1885 
Member content until: Saturday, October 15 2011
Reference:            ASB-2010.0168

Comment: Currently none of the style domains have been
         deregistered, the secondary sites are all still up, and the malware
         has a very low detection rate.


        Fake emails pretending to come from either the ATO (Australian
        Taxation Office) or the ABR (Australian Business Register) are being
        widely circulated. These emails are lures to websites containing


        AusCERT has received well over 100 of these fake emails in the last day. 

        The following "From:" addresses have been seen in the spam emails:


        The following three email formats have been used:

        Subject: Australian Taxation Office   New rules

           Australian Taxation Office informs you about the changes in the rules
           of submitting tax report.
           Please, read about the changes to Click Here.
           Important to know
           We do not offer cashier services for tax payments or refunds.
           For further information on how to pay your taxes, see How to pay.
           We are kindly asking you to keep to rules and terms of tax report
           submission to avoid penalty.
           Best regards,
           Andrew Nichols
           Australian Taxation Office
        Subject: Attention for the ABN owners

           Australian Taxation Office together with Australian Business Register
           wants to inform you that starting from January, 1 2012 new rules of use
           of ABN number are being introduced.
           The changes will concern:
           - GST credits;
           - Australian domain names registration
           More detailed information about the coming changes in the rules you can
           find HERE.
           Australian Business Register
        Subject: Attention to all holders of TFN \ Business name

           From November 1, 2011 new rules of submitting tax returns will be
           See the full list of changes with explanations HERE.
           The information requested in these applications is authorised by one or
           more of the following Acts:
           - A New Tax System (Australian Business Number) Act 1999
           - Income Tax Assessment Act 1936
           - A New Tax System (Goods and Services Tax) Act 1999
           - A New Tax System (Wine Equalisation Tax) Act 1999
           - A New Tax System (Luxury Car Tax) Act 1999
           - Fuel Tax Act 2006
           - Fringe Benefits Tax Assessment Act 1986
           - Taxation Administration Act 1953
           - Superannuation Industry (Supervision) Act 1993
           The information will help us to administer those Acts and the taxation
           Very Important information about your Business Name, go to the
           following link
           Australian Business Register

        The emails all contain a link directing users who click on it to one of
        the following domains/web sites which all (currently) point to the same
        IP address of

           australian-businesssite-4u .com
           australianbusinesssite-au .com
           australian-businesssite .com
           australian-businesssite-f .com
           australianbusiness-store .com
           australian-bussines-opps .com
           australianbussiness-today .com
           australianbussinesstuff .com
           day-australianbussiness .com
           getaustralian-bussines .com
           go-australianbussines .com
           greataustralian-bussines .com

        All 13 of these domains/web sites contain an iframe pointing to one of
        the following two URL's (both domains are currently pointing to an IP
        address of

           hxxp://jj-unp-lanka .com/main.php?page=3d0ac5a298f528ea
           hxxp://jj-unp-group .com/main.php?page=60b8b4d7f98dc0cf

        These two domains/websites contain or link to various exploits and
        malware. The exploit code on the two sites differs depending on what
        user agent you vitit them with, but seems to exploit CVE-2010-1885.
        Each site contains the following:
           1) /content/worms.jar
           2) /g.php?f=25&e=6
           3) /content/2fdp.php?f=25
           4) a link to hxxp://australianbusinesssite .com/updateTax15sept.pdf.exe

        File number 1 is a Java exploit (CVE-2010-0840) that is currently detected
        by 4 out of the 44 VirusTotal AV products [1].
        File number 2 is a Windows executable file detected a Zbot/Zeus by 6 AV
        products on VirusTotal. [2] The numbers used for the "f" and "e"
        variables does not seem to matter.
        File number 3 is a PDF file that is detected by 7 AV products on
        VirusTotal. [3] The number used for the "f" variable does not
        seem to matter.
        File number 4 above is also Zbot/Zeus malware, but is detected by 18
        AV products on VirusTotal. [4]


        Possibilities for mitigation include:
        Using filtering at mail gateways to block on key phrases or email
        addresses from the details above.
        Using web filtering to block domains and IP addresses associated with
        this attack.
        Monitor connections to the domains and IP's listed above, as this may
        indicate the presence of infected machines. AusCERT provides a
        blacklist feed of malware sites to members which may help with achieving
        this. [5]
        Inform and educate end user on this form of attack.
        Ensure anti-virus signatures are being kept up to date. While
        detection rates are currently low, new signatures that detect
        this trojan should be available soon.
        Ensure Java and PDF viewer software is kept up-to-date (along with
        web browser and other software as well as the base OS).


        [1] File name: worms.jar

        [2] File name: 3a9ea770e4aa82f93b51a9b12cb2ecd8

        [3] File name: PDF.pdf

        [4] File name: 1013523

        [5] AusCERT XML Feed

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.