Attacks/Breaches
11/5/2008
03:56 PM
50%
50%

'Obama Trojan' Rides Coattails of President-Elect

Spam email promises video of 'amazing speech,' but instead delivers information-stealing malware

Barack Obama's victory in yesterday's U.S. presidential election is turning out to be bad news for hundreds of thousands of users whose computers are being infected by malware that bears his name.

Several security tool vendors -- including Cloudmark, Sophos, and Websense -- today are reporting massive amounts of spam messages that promise video clips of an "amazing" Obama speech, election news results, or interviews with Obama's advisers. These messages are carriers of malware that can compromise users' PC, researchers say. The three vendors offered differing descriptions of the attack, which suggests it may be working under different disguises. But screen shots provided by both Cloudmark and Sophos contained identical photos and text, indicating that much of the traffic is being generated by a single exploit.

Cloudmark reports that it has filtered out more than 10 million copies of the "Obama-Trojan" since 10:24 EST this morning. The email entices recipients to open a link to a Website containing an "amazing speech," but the sites themselves are located as far away as Slovenia. The site claims to offer an updated version of Adobe Flash, which automatically starts to download and contains the Trojan payload. Users who actually open the executable will unwittingly receive the "Obama-Trojan," also known as Possible_Crypt or Mal/Emogen-N, Cloudmark warns.

In a blog about the Obama malware, Sophos researcher Graham Cluley says the spam attack, which purports to be from the "American Government Official Website," promises election news results.

"The emails, which have subject lines such as 'Obama win preferred in world poll' and claim to come from news@president.com, have accounted for approximately 60% of all malicious spam seen by SophosLabs in the last hour," Cluley said in his blog this morning.

Clicking on the news link leads the user to a page identical to the one described by Cloudmark, and initiates an automatic download of a Trojan masked as a version of Adobe Flash version 9. The Trojan, which Sophos calls Mal/Behav-027, could compromise users' data and lead to identity theft, Cluley warns.

Websense is also warning users of an Obama-disguised attack, but according to its report, some of the email lures promise a video interview with Obama's advisers, while others promise the "amazing speech."

"The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised site," a Websense spokesman said. "The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim's PC. Major antivirus vendors are not detecting this threat."

In some variations of the email attack, cybercriminals are using well-known publishing names such as Time Magazine and La Republica (Peru) in the email subject line to encourage users to click on the links, Websense says. "We are seeing many variations of this attack, and the numbers of emails are growing by the thousands by the hour," said Dan Hubbard, CTO at Websense.

Some of the email attacks contain links to a file called "BarackObama.exe," which is hosted on a compromised travel site, Websense says. The file is an information-stealing Trojan Horse downloader. Upon execution, files called "system.exe" and "firewall.exe" are dropped into the victims' system directory, and a phishing kit is unpacked locally, dropping files bound to startup. The "hosts" file is also modified.

In another variation, victims who click on the link go to a purposely registered domain that advises them to install the latest version of the Adobe Flash player before the video can be viewed. The malicious Website actually links to a file called "adobe_flash.exe," which is really a Trojan Horse packed with ASPack. "Upon execution, a rootkit is installed on the compromised machine, and the victim's data is sent to multiple command and control servers," Websense says.

All three vendors acknowledged there is nothing novel about attacks that play on users' interest in the presidential elections. "While it hardly surprises security specialists that a new wave of infectious emails are swamping mailboxes everywhere, the depth, duration, and lack of dignity [of this particular attack] does," Cloudmark wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.