Attacks/Breaches
11/5/2008
03:56 PM
Connect Directly
RSS
E-Mail
50%
50%

'Obama Trojan' Rides Coattails of President-Elect

Spam email promises video of 'amazing speech,' but instead delivers information-stealing malware

Barack Obama's victory in yesterday's U.S. presidential election is turning out to be bad news for hundreds of thousands of users whose computers are being infected by malware that bears his name.

Several security tool vendors -- including Cloudmark, Sophos, and Websense -- today are reporting massive amounts of spam messages that promise video clips of an "amazing" Obama speech, election news results, or interviews with Obama's advisers. These messages are carriers of malware that can compromise users' PC, researchers say. The three vendors offered differing descriptions of the attack, which suggests it may be working under different disguises. But screen shots provided by both Cloudmark and Sophos contained identical photos and text, indicating that much of the traffic is being generated by a single exploit.

Cloudmark reports that it has filtered out more than 10 million copies of the "Obama-Trojan" since 10:24 EST this morning. The email entices recipients to open a link to a Website containing an "amazing speech," but the sites themselves are located as far away as Slovenia. The site claims to offer an updated version of Adobe Flash, which automatically starts to download and contains the Trojan payload. Users who actually open the executable will unwittingly receive the "Obama-Trojan," also known as Possible_Crypt or Mal/Emogen-N, Cloudmark warns.

In a blog about the Obama malware, Sophos researcher Graham Cluley says the spam attack, which purports to be from the "American Government Official Website," promises election news results.

"The emails, which have subject lines such as 'Obama win preferred in world poll' and claim to come from news@president.com, have accounted for approximately 60% of all malicious spam seen by SophosLabs in the last hour," Cluley said in his blog this morning.

Clicking on the news link leads the user to a page identical to the one described by Cloudmark, and initiates an automatic download of a Trojan masked as a version of Adobe Flash version 9. The Trojan, which Sophos calls Mal/Behav-027, could compromise users' data and lead to identity theft, Cluley warns.

Websense is also warning users of an Obama-disguised attack, but according to its report, some of the email lures promise a video interview with Obama's advisers, while others promise the "amazing speech."

"The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised site," a Websense spokesman said. "The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim's PC. Major antivirus vendors are not detecting this threat."

In some variations of the email attack, cybercriminals are using well-known publishing names such as Time Magazine and La Republica (Peru) in the email subject line to encourage users to click on the links, Websense says. "We are seeing many variations of this attack, and the numbers of emails are growing by the thousands by the hour," said Dan Hubbard, CTO at Websense.

Some of the email attacks contain links to a file called "BarackObama.exe," which is hosted on a compromised travel site, Websense says. The file is an information-stealing Trojan Horse downloader. Upon execution, files called "system.exe" and "firewall.exe" are dropped into the victims' system directory, and a phishing kit is unpacked locally, dropping files bound to startup. The "hosts" file is also modified.

In another variation, victims who click on the link go to a purposely registered domain that advises them to install the latest version of the Adobe Flash player before the video can be viewed. The malicious Website actually links to a file called "adobe_flash.exe," which is really a Trojan Horse packed with ASPack. "Upon execution, a rootkit is installed on the compromised machine, and the victim's data is sent to multiple command and control servers," Websense says.

All three vendors acknowledged there is nothing novel about attacks that play on users' interest in the presidential elections. "While it hardly surprises security specialists that a new wave of infectious emails are swamping mailboxes everywhere, the depth, duration, and lack of dignity [of this particular attack] does," Cloudmark wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant