Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.
According one state government security expert who received multiple copies of the message, the e-mail campaign — apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.
The messages are spoofed so that they appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.
The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail came from admin@intelink.gov. The true sender, as pulled from information in the e-mail header, is nobody@sh16.ruskyhost.ru
My source told me that a significant discussion going on within the U.S. Computer Emergency Readiness Team (US-CERT) suggests that this attack was leveled only at governments, and that a relatively large number of recipients were taken in by the ruse and infected their PCs. For example, the state government agency that my source works at has already confirmed “a couple hundred” infections at their site. US-CERT officials could not be immediately reached for comment, and the organization’s Web site currently does not feature any information about this attack.
The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.”
Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan, a program designed to steal passwords from infected systems and give attackers remote control over sickened PCs.
Another source who asked not to be named said the version of Zeus being distributed in the e-mails is rather dated, but that it includes a configuration utility that allows the malware to be updated with the capability to upload PDF files and other interesting information from infected PCs.
The Zeus Trojan is the primary tool that organized criminals have been using to steal banking information from countless small businesses, as well as dozens of state and local government organizations. In each attack, the thieves use the stolen credentials to siphon the victim organization’s bank accounts, and funnel the money through accomplices in the United States, who then wire the cash overseas to Ukraine and other Eastern European nations.
Earlier this week, the New York town of Poughkeepsie reported that thieves had broken into the town’s bank account and stolen $378,000 in municipality funds. Poughkeepsie officials said $95,000 was recovered from a Ukrainian bank.
