Cybercriminals have already begun abusing the 2010 tax season with spam purporting to be from the IRS. These spam emails contain malicious attachments looking to download malware onto your PC.

1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 55
JANUARY 18, 2010
IRS Spam Conceals Backdoor Component
The new tax season has officially begun and spam runs are not far behind. As if keeping tabs with one’s finances is not already a challenge,
cybercriminals are making things more difficult. In what has become a tax tradition of sorts, spammed messages purporting to be from the
Internal Revenue Service (IRS) are making the inbox rounds yet again. The latest spam attack lives up to the tradition with its timely release and
typical email content. Unfortunately, it employs more than the usual phishing tactics. The first IRS-related attack of the year lets cybercriminals in
through the back door.
The Threat Defined
At first glance, the spammed message that Trend Micro
analysts found appears rather ordinary. Purportedly from the
IRS, it bears the subject “W-2 Form update.” The W-2 form,
which states an employee’s annual salary and total tax, has
supposedly undergone “important changes” that require the
said update. The message body encourages users to open the
attachment and includes legitimate URLs and phone numbers
that lend credibility to its claim.
The email body in itself is harmless enough unlike previous
spam runs that included malicious URLs. The real danger lies
within the attached .RTF file (Update.doc), which is supposed
to be the W-2 form. After opening the .RTF document, users
will see what appears to be an embedded .PDF file. In truth,
Figure 1. Screenshot of spammed message
however, the PDF file is a malicious .EXE file that uses the
PDF icon.
By simply changing the
extension of the malicious file
(C_server.exe) into .PDF and
the displayed file name to W-2,
cybercriminals have set up a
rather deceitful attack.
When opening the supposed
.PDF file, users will receive a
prompt asking them if they want
to open the embedded object.
Clicking Yes will bring up
another message, which reveals
the true nature of the concealed
.EXE file. This should lift the veil
of deceit for perceptive users,
as the prompt clearly indicates
the name of the .EXE file.
However, in cases where users
run the application, the affected
system becomes susceptible to Figure 2. BKDR_POISON.AEL infection diagram
a backdoor application attack.
The .RTF file is detected by Trend Micro as BKDR_POISON.BQA. Upon execution, the backdoor component of the
Darkmoon Remote Administration Tool (RAT) opens a hidden Web browser that attempts to connect to a remote
server. However, BKDR_POISON.BQA only connects to an internal IP address as of this writing.
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
Trend Micro analysts found another sample of the spammed IRS message, which appears to be another version of
the previous sample. Detected as BKDR_POISON.AEL, the malicious .EXE file concealed in the .RTF attachment
successfully connects to a remote server and grants access to the affected system. Establishing a connection
allows a cybercriminal to perform any of the following backdoor routines:
 Capture screenshots, webcam transmissions, and audio clips
 Delete or search for and upload files
 Log keystrokes and active windows
 Modify and search for registry entries
 Perform a shell command
 Send system information (IP address, computer name, user name, OS)
 Update/Uninstall malware
 View and terminate active windows and ports
User Risks and Exposure
As previously mentioned, timing is an important factor for IRS-related spam. These messages usually make an
appearance when an important IRS deadline is near. The latest attack is no exemption with February 1 just weeks
away. A notable difference, however, is that past IRS-related spam attacks have generally been phishing related in
nature. They used anything from bogus forms, fake websites, and ZBOT variants to steal personally identifiable
records. The data stealing likewise focused on selected information such as bank account and credit card
credentials, which cybercriminals use for their own profit. The new attack is different in that it not only facilitates
information theft, it also leaves the affected user vulnerable to malicious attacks from a remote user.
While there has been an IRS-related attack with a backdoor application for its related malware, the BKDR_POISON
malware family has been more commonly seen in vulnerability exploit attacks as of late. Examples include
TROJ_PIDIEF.WIA and TROJ_PIDIEF.ABA, which both drop BKDR_POISON variants.
As such, the new IRS spam and BKDR_POISON tandem is not a familiar scenario. This could signal a tactical
change not just for IRS-related spam but for spammed messages in general. As such, users need to be more
vigilant in filtering their email messages, especially if they are using unprotected systems.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network combines unique
in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and
automatically protect your information wherever you connect.
In this attack, Smart Protection Network’s email reputation service blocks all emails related to this spam run. File
reputation service detects and prevents the download of malicious files detected as BKDR_POISON.BQA and
BKDR_POISON.AEL. Web reputation service prevents access to the malicious remote server.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/bogus-irs-w-2-form-leads-to-malware/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_POISON.BQA
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_POISON.AEL
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.WIA
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.ABA
Other related posts are found here:
http://blog.trendmicro.com/phishers-hit-multiple-banks-with-one-stone/
http://blog.trendmicro.com/tax-season-is-phishing-season/
http://blog.trendmicro.com/fake-form-w-8ben-used-in-irs-tax-scams/
http://blog.trendmicro.com/social-engineering-watch-another-irs-scam/
2 of 2 – WEB THREAT SPOTLIGHT