Fake US-CERT Emails Contain Banking Virus Traced to Russia

A variant of the notorious Zeus virus has been circulating the offices of government agencies through an email from hackers who are aping the sender address @US-CERT.GOV, the true U.S. Computer Emergency Readiness Team disclosed Wednesday evening. Researchers outside of US-CERT traced the malicious software to a botnet -- a remotely-controlled network of infected computers -- that is taking commands from computers located in Russia.

Reports of spoofed US-CERT emails with attachments labeled "US-CERT Operation Center Report XXXXXXX.zip" began filing in on Tuesday, officials announced at the time, but they did not identify the threat until Wednesday. The Zeus offshoot "Ice-IX," like its parent worm, steals banking credentials and other personal information by logging keystrokes. But it also supposedly can sidestep firewalls and other protective mechanisms.

The emails are going out to federal, state and local government personnel, as well as private sector employees, according to US-CERT. The messages carry the subject line: "Phishing incident report call number: PH000000XXXXXXX," with the "X" containing an incident report number that varies.

"Details of the malware were obtained via third party reporting" that indicate the hosting system is "infrastructure known as the Avalanche bot-net, with callback to domains located in Russia," states an official US-CERT alert.

The programming code for Zeus was publicly released last year.

This incident represents one of many phishing schemes that routinely bait computer users worldwide with compelling messages that turn out to be fraudulent. What distinguishes this new campaign is its purported sender -- a Homeland Security Department agency that is perhaps the most trusted first responder at the cybercrime scene.

US-CERT "became aware yesterday morning of spoofed emails that falsely claim to be from US-CERT," DHS spokesman Chris Ortman said Wednesday morning. "US-CERT is currently conducting analysis and gathering information, and has notified government agencies and federal cyber centers concerning this issue."

Email traffic and phone calls to US-CERT have spiked in response to the phony message, but the influx of inquiries has not significantly disrupted agency operations, DHS officials said.