Your tax return appeal is rejected

After a few days away Zeus is back in business and delivered to an inbox near you via emails spoofing communications from the IRS. An observed sample had the subject line “Your tax return appeal is rejected.”

Note that this spam template looks identical to a previous IRS spam run documented in our “Rejection of your tax appeal” post on 2012-02-23. The text in both spam messages is remarkably similar as well indicating that the same botnet may have fired off both campaigns.

The observed sample had a link to belajaroption[.]net/pE5jXgA3/index.html. Note the same 8 random character pattern that was observed in our previous posts “Better Business Bureau complaint” and “Notification of securities investigation against your company” was also used in this URL. The page at belajaroption[.]net/pE5jXgA3/index.html contained the following javascript redirectors:


These scripts redirected to two different Blackhole Exploit kits at lazysix[.]com/search.php?page=73a07bcb51f4be71 and pollypeach[.]com/search.php?page=73a07bcb51f4be71. We werent able to get to pollypeach[.]com before the domain was taken down, but we did manage to grab the malicious payload dropped by the exploit kit at lazysix[.]com. Vulnerable victims directed to lazysix[.]com downloaded a Gameover Zeus variant from lazysix[.]com/d.php?f=e4649&e=1. This variant had the following properties:

File: readme.exe
Size: 305226
MD5: 36C9FBD3A1CF05A02DAA0AA50BC1186A

This Gameover Zeus variant sent stolen data to the following dropzones via POST requests:

  • over port 12584
  • over port 26623
Its interesting to note that the IP is also a node in a Cutwail botnet. As documented in a handful of previous posts like “Fwd: Re: Security update for banking accounts” Cutwail spam bots are responsible for spewing many of the spam samples delivering both Zeus and Bugat/Feodo.
The Gameover Zeus variant dropped in this current campaign had a botid of “mmx28”. This botid is very similar to the botid of “mmx22” seen in our previous post “Better Business Bureau complaint.” The numbers appended to the “mmx” string are equivalent to the date that the variants are distributed.


  1. K Hammond
    Posted March 2, 2012 at 3:30 am | Permalink | Reply

    What can I do to cause the sender maximum brain damage?

  2. Posted March 2, 2012 at 1:42 pm | Permalink | Reply

    My best advice would be to delete the spam and carry on with your day.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: