Attacks/Breaches
11/5/2008
03:56 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

'Obama Trojan' Rides Coattails of President-Elect

Spam email promises video of 'amazing speech,' but instead delivers information-stealing malware

Barack Obama's victory in yesterday's U.S. presidential election is turning out to be bad news for hundreds of thousands of users whose computers are being infected by malware that bears his name.

Several security tool vendors -- including Cloudmark, Sophos, and Websense -- today are reporting massive amounts of spam messages that promise video clips of an "amazing" Obama speech, election news results, or interviews with Obama's advisers. These messages are carriers of malware that can compromise users' PC, researchers say. The three vendors offered differing descriptions of the attack, which suggests it may be working under different disguises. But screen shots provided by both Cloudmark and Sophos contained identical photos and text, indicating that much of the traffic is being generated by a single exploit.

Cloudmark reports that it has filtered out more than 10 million copies of the "Obama-Trojan" since 10:24 EST this morning. The email entices recipients to open a link to a Website containing an "amazing speech," but the sites themselves are located as far away as Slovenia. The site claims to offer an updated version of Adobe Flash, which automatically starts to download and contains the Trojan payload. Users who actually open the executable will unwittingly receive the "Obama-Trojan," also known as Possible_Crypt or Mal/Emogen-N, Cloudmark warns.

In a blog about the Obama malware, Sophos researcher Graham Cluley says the spam attack, which purports to be from the "American Government Official Website," promises election news results.

"The emails, which have subject lines such as 'Obama win preferred in world poll' and claim to come from news@president.com, have accounted for approximately 60% of all malicious spam seen by SophosLabs in the last hour," Cluley said in his blog this morning.

Clicking on the news link leads the user to a page identical to the one described by Cloudmark, and initiates an automatic download of a Trojan masked as a version of Adobe Flash version 9. The Trojan, which Sophos calls Mal/Behav-027, could compromise users' data and lead to identity theft, Cluley warns.

Websense is also warning users of an Obama-disguised attack, but according to its report, some of the email lures promise a video interview with Obama's advisers, while others promise the "amazing speech."

"The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised site," a Websense spokesman said. "The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim's PC. Major antivirus vendors are not detecting this threat."

In some variations of the email attack, cybercriminals are using well-known publishing names such as Time Magazine and La Republica (Peru) in the email subject line to encourage users to click on the links, Websense says. "We are seeing many variations of this attack, and the numbers of emails are growing by the thousands by the hour," said Dan Hubbard, CTO at Websense.

Some of the email attacks contain links to a file called "BarackObama.exe," which is hosted on a compromised travel site, Websense says. The file is an information-stealing Trojan Horse downloader. Upon execution, files called "system.exe" and "firewall.exe" are dropped into the victims' system directory, and a phishing kit is unpacked locally, dropping files bound to startup. The "hosts" file is also modified.

In another variation, victims who click on the link go to a purposely registered domain that advises them to install the latest version of the Adobe Flash player before the video can be viewed. The malicious Website actually links to a file called "adobe_flash.exe," which is really a Trojan Horse packed with ASPack. "Upon execution, a rootkit is installed on the compromised machine, and the victim's data is sent to multiple command and control servers," Websense says.

All three vendors acknowledged there is nothing novel about attacks that play on users' interest in the presidential elections. "While it hardly surprises security specialists that a new wave of infectious emails are swamping mailboxes everywhere, the depth, duration, and lack of dignity [of this particular attack] does," Cloudmark wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web