Risk
1/20/2009
02:54 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Fake Obama Web Site Reportedly Builds Botnet

The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story titled "Barack Obama has refused to be a president."

With so much attention being paid to the physical security at the inauguration of President Barack Obama, cybersecurity concerns appear to have been largely discounted, even as inauguration-related online attacks have surged.

"DHS and the FBI have no credible information indicating a cyber threat to the inauguration," the 56th Presidential Inauguration Joint Threat Assessment (JTA) stated.

Yet even if the event itself appears to have been adequately protected from cyber disruption, it remains unclear how far the government should go to warn Internet users about online risks related to America's change of administration.

The JTA acknowledges that government networks face an increasing number of cyberattacks. "On 7 November 2008, open-source reporting indicated foreign cyber attackers downloaded large quantities of information from the Presidential campaign networks, which intelligence analysts believe was an attempt to learn more about the candidates' policy positions," the report stated.

And it's not just government networks under assault. On Thursday, US-CERT warned of a rising number of phishing and spam attacks related to the presidential inauguration, a pattern that now follows all widely reported current events.

Sure enough, the phishers and scammers have come out of the woodwork to try to exploit people's interest in America's new president.

PandaLabs over the weekend reported that its researchers had detected a botnet-driven malware campaign impersonating then President-elect Obama's Web site. "The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story entitled, 'Barack Obama has refused to be a president,' " wrote PandaLabs security research Sean-Paul Correll in a blog post. "When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victim's computer."

Security researchers at Marshal observed the same scam and attribute it to the Waledac worm, which they say is the successor to the Storm worm. "Waledac first appeared around Christmas time with an e-card theme," the Marshal blog explains. "This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet."

Symantec researcher Zulfikar Ramzan has also posted a blog entry about this worm. "This threat continues to demonstrate a well established practice among today's attackers; namely, to trick you into infecting yourself through the use of enticing messages based on current events," he said, adding that we're likely to see many more such attempts to leverage civic engagement as an attack vector.

Fred Touchette, senior security analyst at AppRiver, suggests government warnings could be louder. "Any warning they give would be beneficial because [the malware is] getting so rampant," he said in a phone interview.

Touchette said the Waledac worm appears to be an attempt build a new botnet from the same group that built the Storm botnet, which is now in decline. He said the Waledac botnet isn't very large at the moment because his company has only detected some 150,000 to 200,000 related spam messages.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report