The spam campaign, entering its third week now, is showing no signs of slowing down, according to Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham. This one campaign accounts for about 10 percent of the spam e-mail that his group is presently tracking, he said. "This is the most prominent spam-delivered virus in the world right now," he said.
Since first spotting the spam on Sept. 9, antispam vendor Cloudmark has counted 11 million messages sent to the company's nearly 2 million desktop customers, said Jamie Tomasello, abuse operations manager with Cloudmark. That number is "very high," she noted.
The messages typically have a subject line that reads, "Notice of Underreported Income," and they encourage victims to either install the Trojan attachment or click on a Web link in order to view their "tax statement." In fact, that link takes the victim to a malicious Web site.
The IRS says not to open attachments or click on links included in e-mail that claims to come from the tax-collection agency.
What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme. Researchers estimate that the Zeus criminals are emptying more than a million dollars per day out of victims' bank accounts with the software. Small businesses have been particularly hard-hit by this fraud, because banks have sometimes held them accountable for the losses.
Testing a recent variant of Zeus on the VirusTotal Web site, Warner found that only five of the 41 antivirus detection systems used by VirusTotal managed to spot it.
Although antivirus vendors have other techniques for blocking the malware -- they can stop people from visiting the malicious Web sites, for example -- the spam is giving the companies a run for their money.
"It's difficult to stay ahead of it via antivirus because the Zeus binaries are changing a few times a day to evade detection," said Paul Ferguson, a researcher with Trend Micro, via instant message. "It's definitely a problem."