SecurID users targeted by fake NSA email

RSA’s SecurID token users have recently been targeted with fake emails supposedly coming from the US National Security Agency urging them to update their token code (click on the screenshot to enlarge it):

The address from which the emails are sent has been spoofed and says “protection@nsa.security.gov”, but the offered malicious links take the victim to the national-security-agency.com domain, which according to Cyveillance, has been registered only the day before the spam run was started.

“A critical vulnerability has been discovered in a certain types of our token devices,” warns the email, counting on the fact that the user is already aware of the RSA hack executed earlier this year and its implications for the security of the company’s SecurID tokens.

The authors of the email also appropriated NSA and CSS logo in order to give an appearance of legitimacy to the warning. Fortunately, they didn’t pay a lot of attention to the construction of the text itself and a couple of spelling mistakes can be easily spotted by alert users.

Cyveillance doesn’t say explicitly what the “security token update” offered for download is, but it is likely to be a malicious executable.

UPDATE: Appriver’s Troy Gill says that the malware in question is a variant of the Zeus Trojan:

Once executed the malware copies itself into the %system% directory and deletes the originally executed file blocked_list(dot)EXE, it then begins to inject itself into the processes winlogon.exe and explorer.exe in an attempt to remain hidden.

After making precautions that it can not easily be removed, it begins making DNS queries for pseudo random domain names utilizing the TLDs .info, .biz, .org, and .net. These domain names are 15 to 16 characters in length and each one seems to be tried 4 times before the algorithm chooses a new one and moves on. This will continue until the infected machine makes a successful match with its controller who utilizes the same algorithm.

The botnet controller will pick a couple of these domains to register, changing them from day to day. These are then used as temporary control servers from which to issue commands and push down further malware, such as keyloggers, to the infected PCs.