Security firms battle world's biggest spam campaign

Computer users in the US are finding there's someone to fear even more than the tax man. They're being spammed by criminal gangs, preying on users' fears of the tax authorities, leading them to install malicious software. Security researchers estimate that the campaign has already enriched criminals by millions of dollars.

The spam campaign, entering its third week now, is showing no signs of slowing down, according to Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham. This one campaign accounts for about 10 percent of the spam email that his group is presently tracking, he said. "This is the most prominent spam-delivered virus in the world right now," he said.

Since first spotting the spam on 9 September, anti-spam vendor Cloudmark has counted 11 million messages sent to the company's nearly 2 million desktop customers, said Jamie Tomasello, abuse operations manager with Cloudmark. That number is "very high," she noted.

The messages typically have a subject line that reads, "Notice of Underreported Income," and they encourage victims to either install the Trojan attachment or click on a web link in order to view their "tax statement." In fact, that link takes the victim to a malicious website.

US tax agency the IRS has said that users should not open attachments or click on links included in email that claims to come from the tax-collection agency.

What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme. Researchers estimate that the Zeus criminals are emptying more than a million dollars per day out of victims' bank accounts with the software. Small businesses have been particularly hard-hit by this fraud, because banks have sometimes held them accountable for the losses.

Testing a recent variant of Zeus on the VirusTotal website, Warner found that only five of the 41 anti-virus detection systems used by VirusTotal managed to spot it.

Although anti-virus vendors have other techniques for blocking the malware - they can stop people from visiting the malicious websites, for example - the spam is giving the companies a run for their money.

"It's difficult to stay ahead of it via anti-virus because the Zeus binaries are changing a few times a day to evade detection," said Paul Ferguson, a researcher with Trend Micro, via instant message. "It's definitely a problem."