Risk
1/20/2009
02:54 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Fake Obama Web Site Reportedly Builds Botnet

The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story titled "Barack Obama has refused to be a president."

With so much attention being paid to the physical security at the inauguration of President Barack Obama, cybersecurity concerns appear to have been largely discounted, even as inauguration-related online attacks have surged.

"DHS and the FBI have no credible information indicating a cyber threat to the inauguration," the 56th Presidential Inauguration Joint Threat Assessment (JTA) stated.

Yet even if the event itself appears to have been adequately protected from cyber disruption, it remains unclear how far the government should go to warn Internet users about online risks related to America's change of administration.

The JTA acknowledges that government networks face an increasing number of cyberattacks. "On 7 November 2008, open-source reporting indicated foreign cyber attackers downloaded large quantities of information from the Presidential campaign networks, which intelligence analysts believe was an attempt to learn more about the candidates' policy positions," the report stated.

And it's not just government networks under assault. On Thursday, US-CERT warned of a rising number of phishing and spam attacks related to the presidential inauguration, a pattern that now follows all widely reported current events.

Sure enough, the phishers and scammers have come out of the woodwork to try to exploit people's interest in America's new president.

PandaLabs over the weekend reported that its researchers had detected a botnet-driven malware campaign impersonating then President-elect Obama's Web site. "The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story entitled, 'Barack Obama has refused to be a president,' " wrote PandaLabs security research Sean-Paul Correll in a blog post. "When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victim's computer."

Security researchers at Marshal observed the same scam and attribute it to the Waledac worm, which they say is the successor to the Storm worm. "Waledac first appeared around Christmas time with an e-card theme," the Marshal blog explains. "This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet."

Symantec researcher Zulfikar Ramzan has also posted a blog entry about this worm. "This threat continues to demonstrate a well established practice among today's attackers; namely, to trick you into infecting yourself through the use of enticing messages based on current events," he said, adding that we're likely to see many more such attempts to leverage civic engagement as an attack vector.

Fred Touchette, senior security analyst at AppRiver, suggests government warnings could be louder. "Any warning they give would be beneficial because [the malware is] getting so rampant," he said in a phone interview.

Touchette said the Waledac worm appears to be an attempt build a new botnet from the same group that built the Storm botnet, which is now in decline. He said the Waledac botnet isn't very large at the moment because his company has only detected some 150,000 to 200,000 related spam messages.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9605
Published: 2015-09-04
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webup...

CVE-2015-5612
Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

CVE-2015-5688
Published: 2015-09-04
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.

CVE-2015-6807
Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.

CVE-2015-6808
Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.