Risk
1/20/2009
02:54 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Fake Obama Web Site Reportedly Builds Botnet

The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story titled "Barack Obama has refused to be a president."

With so much attention being paid to the physical security at the inauguration of President Barack Obama, cybersecurity concerns appear to have been largely discounted, even as inauguration-related online attacks have surged.

"DHS and the FBI have no credible information indicating a cyber threat to the inauguration," the 56th Presidential Inauguration Joint Threat Assessment (JTA) stated.

Yet even if the event itself appears to have been adequately protected from cyber disruption, it remains unclear how far the government should go to warn Internet users about online risks related to America's change of administration.

The JTA acknowledges that government networks face an increasing number of cyberattacks. "On 7 November 2008, open-source reporting indicated foreign cyber attackers downloaded large quantities of information from the Presidential campaign networks, which intelligence analysts believe was an attempt to learn more about the candidates' policy positions," the report stated.

And it's not just government networks under assault. On Thursday, US-CERT warned of a rising number of phishing and spam attacks related to the presidential inauguration, a pattern that now follows all widely reported current events.

Sure enough, the phishers and scammers have come out of the woodwork to try to exploit people's interest in America's new president.

PandaLabs over the weekend reported that its researchers had detected a botnet-driven malware campaign impersonating then President-elect Obama's Web site. "The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story entitled, 'Barack Obama has refused to be a president,' " wrote PandaLabs security research Sean-Paul Correll in a blog post. "When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victim's computer."

Security researchers at Marshal observed the same scam and attribute it to the Waledac worm, which they say is the successor to the Storm worm. "Waledac first appeared around Christmas time with an e-card theme," the Marshal blog explains. "This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet."

Symantec researcher Zulfikar Ramzan has also posted a blog entry about this worm. "This threat continues to demonstrate a well established practice among today's attackers; namely, to trick you into infecting yourself through the use of enticing messages based on current events," he said, adding that we're likely to see many more such attempts to leverage civic engagement as an attack vector.

Fred Touchette, senior security analyst at AppRiver, suggests government warnings could be louder. "Any warning they give would be beneficial because [the malware is] getting so rampant," he said in a phone interview.

Touchette said the Waledac worm appears to be an attempt build a new botnet from the same group that built the Storm botnet, which is now in decline. He said the Waledac botnet isn't very large at the moment because his company has only detected some 150,000 to 200,000 related spam messages.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.