McAfee Labs

Zeus and SpyEye: Old Dogs

Repeat Old Tricks

By on Feb 15, 2011

There is a lot of buzz in the security community lately about the merger of two widespread password-stealing malware families, Zbot (maker of Zeus) and SpyEye.

Some reports says that the Zbot source code was given to the SpyEye crew. Others say that Zeus was sold, and some even say that nothing really happened–this was only a deceptive tactic from the Zeus author to try to stay under the radar due recent takedowns on its “customers.”

Whatever the case, there’s one thing I can say for sure: Both crews are quite active.
As tax time in the United States arrives, it offers a huge opportunity for malware to take advantage of social-engineering tactics.

Today I examined two samples related to U.S. Internal Revenue Service social-engineering tactics. I tempted to think that Zeus and SpyEye are sharing the same marketing team due the timing. 🙂

Here are some examples of the messages in the mail:

    Urgent Report!

    Your Federal Tax Payment ID: 0010323734 has been rejected.
    Return Reason Code R21 – The identification number used in the Company Identification Field is not valid. Please, check the attached information and refer to Code R21 to get details about your company payment in transaction contacts section:

    EFTPS: The Electronic Federal Tax Payment System

    PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.

    IRS Notification.


    After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $468.32.

    Please submit the tax refund request and allow us 6-9 days in order to process it.

    A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

    To access the form for your tax refund, please click here

    Internal Revenue Service

One of them even uses a fake Avira AV Digital Signature, supposedly issued by Verisign:

Fake Digital Signature

Another SpyEye spam is making the rounds while targeting Nike customers. This one repeats a common Bredolab and Zeus tactic of using an invoice attachment for some random purchase from the online store.

An excerpt of the email:

    Dear Customer,

    Good news! We have received your payment and your order will be processed EO202608527. Invoice (Details attached)

    If you ordered a product and a product custom NIKEiD, you will receive several bills:

    – The first invoice that you receive includes all products
    – You Will Receive your NIKEiD invoice (s) shortly personalized NIKEiD Before the Product is Delivered To The Address That You Provided When Placing your order.
    – You should receive an invoice for each product that you ordered NIKEiD.

You may call this a typical seasonal malware tactic, or just coincidence. But I think that old dogs never learn new tricks. 🙂