February 6, 2010

Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail came from admin@intelink.gov. The true sender, as pulled from information in the e-mail header, is nobody@sh16.ruskyhost.ru

My source told me that a significant discussion going on within the U.S. Computer Emergency Readiness Team (US-CERT) suggests that this attack was leveled only at governments, and that a relatively large number of recipients were taken in by the ruse and infected their PCs. For example, the state government agency that my source works at has already confirmed “a couple hundred” infections at their site. US-CERT officials could not be immediately reached for comment, and the organization’s Web site currently does not feature any information about this attack.

The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.”

Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan, a program designed to steal passwords from infected systems and give attackers remote control over sickened PCs.

Another source who asked not to be named said the version of Zeus being distributed in the e-mails is rather dated, but that it includes a configuration utility that allows the malware to be updated with the capability to upload PDF files and other interesting information from infected PCs.

The Zeus Trojan is the primary tool that organized criminals have been using to steal banking information from countless small businesses, as well as dozens of state and local government organizations. In each attack, the thieves use the stolen credentials to siphon the victim organization’s bank accounts, and funnel the money through accomplices in the United States, who then wire the cash overseas to Ukraine and other Eastern European nations.

Earlier this week, the New York town of Poughkeepsie reported that thieves had broken into the town’s bank account and stolen $378,000 in municipality funds. Poughkeepsie officials said $95,000 was recovered from a Ukrainian bank.

67 thoughts on “Zeus Attack Spoofs NSA, Targets .gov and .mil

  1. Pingback: Usan como seƱuelo una advertencia sobre ataque de ZeuS | ooo la la la la : ) HACKED ! by ! mOmiX ! Sory Security Team :(((

  2. Pingback: Kneber BotNet / Zeus Trojan Strikes! | Complete Source

  3. Pingback: Phishing News of the Week – 19 February 2010 « Truedomain Blog

  4. Pingback: CyberBits 16 Feb 2010 | Cyber Loop

  5. Craig Spiezle

    The Online Trust Alliance (OTA) has been raising the concerns about this exposure for nearly a year. Last April we posted a failing report card for failing to protect their domains from such spoofing. https://otalliance.org/news/releases/OTA_414reportcard.html. We are encouraged by the recent willingness to proceed with best practices now adopted by many leading businesses. In April we will be updating this report to include the top 50 .gov and .mil sites as well as offering the targeted sites training to help implement industry standards.

  6. Pingback: ZBOT Variant Spoofs the NIC to Spam Other Government Agencies « Spyware Explained

  7. Pingback: Reflections on RSA – Security is Really a Control and Data Management Problem « Currents from WaveLength Market Analytics

  8. JAson

    Outlawing windows from making operating systems would really really help the situation out greatly. Sure everyone would have to learn new stuff, but in the case of new and complex parental controls for tv, parent were willing to learn something new to make them feel safer or their kids safer, so why not extend that same logic to protecting ones self. Learn to use something new, the free model seems to be the one that is out to protect you, after all Microsoft collects tons of personal information for law enforcement use. Linux is a good start, a linux kernal seems to be the right model, seems other try to copy the wy it works anyways, but they just dont quite get it right.

    Windows may look pretty , but it sure dont run so pretty, and ubuntu for one outdoes windows when it comes to eye candy and usefullness. Im not even commenting on mac, becsue its liek back in the day when everyone realize AOL was a fake ISP, the mac isnt a real pc, more like nazzi central with every mac lookign the same.

    So ya elimiate windows and watch how fast the talk of virii and major sec issues drops. Maybe not all but after all, i do think windows system is the gateway for the new attackware platform of stuxnet, so to what end will microsilly decode to so simething serious abtou their issues? Will windows be resonsible for an accidental nuke launch?

  9. SpliFF

    I’ve run my primary PC on linux for 10+ years and in all that time not one break-in or malware infection despite having no firewall or antivirus software. I’ve even inserted infected USB sticks with autorun malware plainly visible on the drive. I’ve opened numerous suspicious PDFs in xpdf, visited known attack sites with Firefox and NoScript, I open Word docs with impunity via LibreOffice and connect regularly to infected networks.

    All my software and dependencies install and update automatically from trustworthy repositories. I’ve never paid a cent for any of my software because it’s all free. I’ve never been given a document I couldn’t open, a disk format I couldn’t read or a file server I couldn’t connect to.

    Why anybody would pay for commercial software like Windows, MacOSX or Office when those tools are so easily and commonly exploited is completely beyond me. I wouldn’t even accept those programs as gifts! Frankly users of Microsoft/Apple/Adobe software get exactly what they deserve when they bring me their toasted systems every six months and pay me $120/hr to recover what’s left of their system.

    Using the above mentioned software in a home environment is bad enough, but using them in a commercial environment is the height of stupidity. In a military, healthcare, financial or government institution it is entirely unforgivable! I would go so far as to call it an act of treason equivalent to arming a modern defence force with bolt action rifles. God help us all once this sort of software finds general use in automotives, military hardware and hazardous industries!

    You want to argue that hackers would exploit linux more often if we all used it? Sure they would – but since ignorance is such a universal property amongst computer users that isn’t likely to happen any time soon.

Comments are closed.