'Obama Trojan' Rides Coattails of President-Elect

Barack Obama's victory in yesterday's U.S. presidential election is turning out to be bad news for hundreds of thousands of users whose computers are being infected by malware that bears his name.

Several security tool vendors -- including Cloudmark, Sophos, and Websense -- today are reporting massive amounts of spam messages that promise video clips of an "amazing" Obama speech, election news results, or interviews with Obama's advisers. These messages are carriers of malware that can compromise users' PC, researchers say. The three vendors offered differing descriptions of the attack, which suggests it may be working under different disguises. But screen shots provided by both Cloudmark and Sophos contained identical photos and text, indicating that much of the traffic is being generated by a single exploit.

Cloudmark reports that it has filtered out more than 10 million copies of the "Obama-Trojan" since 10:24 EST this morning. The email entices recipients to open a link to a Website containing an "amazing speech," but the sites themselves are located as far away as Slovenia. The site claims to offer an updated version of Adobe Flash, which automatically starts to download and contains the Trojan payload. Users who actually open the executable will unwittingly receive the "Obama-Trojan," also known as Possible_Crypt or Mal/Emogen-N, Cloudmark warns.

In a blog about the Obama malware, Sophos researcher Graham Cluley says the spam attack, which purports to be from the "American Government Official Website," promises election news results.

"The emails, which have subject lines such as 'Obama win preferred in world poll' and claim to come from news@president.com, have accounted for approximately 60% of all malicious spam seen by SophosLabs in the last hour," Cluley said in his blog this morning.

Clicking on the news link leads the user to a page identical to the one described by Cloudmark, and initiates an automatic download of a Trojan masked as a version of Adobe Flash version 9. The Trojan, which Sophos calls Mal/Behav-027, could compromise users' data and lead to identity theft, Cluley warns.

Websense is also warning users of an Obama-disguised attack, but according to its report, some of the email lures promise a video interview with Obama's advisers, while others promise the "amazing speech."

"The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised site," a Websense spokesman said. "The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim's PC. Major antivirus vendors are not detecting this threat."

In some variations of the email attack, cybercriminals are using well-known publishing names such as Time Magazine and La Republica (Peru) in the email subject line to encourage users to click on the links, Websense says. "We are seeing many variations of this attack, and the numbers of emails are growing by the thousands by the hour," said Dan Hubbard, CTO at Websense.

Some of the email attacks contain links to a file called "BarackObama.exe," which is hosted on a compromised travel site, Websense says. The file is an information-stealing Trojan Horse downloader. Upon execution, files called "system.exe" and "firewall.exe" are dropped into the victims' system directory, and a phishing kit is unpacked locally, dropping files bound to startup. The "hosts" file is also modified.

In another variation, victims who click on the link go to a purposely registered domain that advises them to install the latest version of the Adobe Flash player before the video can be viewed. The malicious Website actually links to a file called "adobe_flash.exe," which is really a Trojan Horse packed with ASPack. "Upon execution, a rootkit is installed on the compromised machine, and the victim's data is sent to multiple command and control servers," Websense says.

All three vendors acknowledged there is nothing novel about attacks that play on users' interest in the presidential elections. "While it hardly surprises security specialists that a new wave of infectious emails are swamping mailboxes everywhere, the depth, duration, and lack of dignity [of this particular attack] does," Cloudmark wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message