Risk

1/20/2009
02:54 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Fake Obama Web Site Reportedly Builds Botnet

The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story titled "Barack Obama has refused to be a president."

With so much attention being paid to the physical security at the inauguration of President Barack Obama, cybersecurity concerns appear to have been largely discounted, even as inauguration-related online attacks have surged.

"DHS and the FBI have no credible information indicating a cyber threat to the inauguration," the 56th Presidential Inauguration Joint Threat Assessment (JTA) stated.

Yet even if the event itself appears to have been adequately protected from cyber disruption, it remains unclear how far the government should go to warn Internet users about online risks related to America's change of administration.

The JTA acknowledges that government networks face an increasing number of cyberattacks. "On 7 November 2008, open-source reporting indicated foreign cyber attackers downloaded large quantities of information from the Presidential campaign networks, which intelligence analysts believe was an attempt to learn more about the candidates' policy positions," the report stated.

And it's not just government networks under assault. On Thursday, US-CERT warned of a rising number of phishing and spam attacks related to the presidential inauguration, a pattern that now follows all widely reported current events.

Sure enough, the phishers and scammers have come out of the woodwork to try to exploit people's interest in America's new president.

PandaLabs over the weekend reported that its researchers had detected a botnet-driven malware campaign impersonating then President-elect Obama's Web site. "The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story entitled, 'Barack Obama has refused to be a president,' " wrote PandaLabs security research Sean-Paul Correll in a blog post. "When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victim's computer."

Security researchers at Marshal observed the same scam and attribute it to the Waledac worm, which they say is the successor to the Storm worm. "Waledac first appeared around Christmas time with an e-card theme," the Marshal blog explains. "This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet."

Symantec researcher Zulfikar Ramzan has also posted a blog entry about this worm. "This threat continues to demonstrate a well established practice among today's attackers; namely, to trick you into infecting yourself through the use of enticing messages based on current events," he said, adding that we're likely to see many more such attempts to leverage civic engagement as an attack vector.

Fred Touchette, senior security analyst at AppRiver, suggests government warnings could be louder. "Any warning they give would be beneficial because [the malware is] getting so rampant," he said in a phone interview.

Touchette said the Waledac worm appears to be an attempt build a new botnet from the same group that built the Storm botnet, which is now in decline. He said the Waledac botnet isn't very large at the moment because his company has only detected some 150,000 to 200,000 related spam messages.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.