14 DAY TRIAL // Security researchers from Trend Micro warn that a wave of fake IRS emails direct recipients to a new variant of the LICAT file infecting virus.
LICAT is a piece of malware associated with the ZeuS banking trojan that first appeared back in October 2010. Malware analysts believe that LICAT is intended as a distribution and update mechanism for ZeuS.
The virus appends its rogue code to legitimate EXE, DLL and HTML files. Each time one of the infected files is executed, a list of URLs is generated according to a predefined algorithm similar to the one used by Conficker.
The ZeuS trojan normally updates itself from a list of predefined command and control servers. Losing control of these domain names usually means losing control of the entire botnet.
LICAT adds a redundancy mechanism. It tries to access all of the generated URLs and downloads a new ZeuS version if it finds one.
If they lose control of their C&C domains, the attackers can register a domain they know LICAT will generate in advance and upload their new version there. Then all they have to do is wait.
The rogue emails detected by Trend Micro purport to come from "Payment IRS.gov" and bear a subject of "Internal Revenue Service United States Department of the Treasury."
The message in the email body claims the recipient is guilty of tax fraud and instructs them to inspect their tax statement on the IRS website by clicking on a link. Clicking on the link prompts them to download the new LICAT variant, detected by Trend Micro products as TSPY_ZBOT.WHZ.
Trend malware experts believe that LICAT is the creation of a single gang of fraudsters with access to the ZeuS trojan source code. "Uploaded LICAT-related binaries on ZeuS Tracker suggest that Licat variants are indeed coming from a specific criminal cybergang. Most samples appear to have similar resources (file version information)," says Trend Micro engineer Jasper Manuel.