'Obama Trojan' Rides Coattails of President-Elect

Spam email promises video of 'amazing speech,' but instead delivers information-stealing malware

Tim Wilson, Editor in Chief, Dark Reading, Contributor

November 5, 2008

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Barack Obama's victory in yesterday's U.S. presidential election is turning out to be bad news for hundreds of thousands of users whose computers are being infected by malware that bears his name.

Several security tool vendors -- including Cloudmark, Sophos, and Websense -- today are reporting massive amounts of spam messages that promise video clips of an "amazing" Obama speech, election news results, or interviews with Obama's advisers. These messages are carriers of malware that can compromise users' PC, researchers say. The three vendors offered differing descriptions of the attack, which suggests it may be working under different disguises. But screen shots provided by both Cloudmark and Sophos contained identical photos and text, indicating that much of the traffic is being generated by a single exploit.

Cloudmark reports that it has filtered out more than 10 million copies of the "Obama-Trojan" since 10:24 EST this morning. The email entices recipients to open a link to a Website containing an "amazing speech," but the sites themselves are located as far away as Slovenia. The site claims to offer an updated version of Adobe Flash, which automatically starts to download and contains the Trojan payload. Users who actually open the executable will unwittingly receive the "Obama-Trojan," also known as Possible_Crypt or Mal/Emogen-N, Cloudmark warns.

In a blog about the Obama malware, Sophos researcher Graham Cluley says the spam attack, which purports to be from the "American Government Official Website," promises election news results.

"The emails, which have subject lines such as 'Obama win preferred in world poll' and claim to come from [email protected], have accounted for approximately 60% of all malicious spam seen by SophosLabs in the last hour," Cluley said in his blog this morning.

Clicking on the news link leads the user to a page identical to the one described by Cloudmark, and initiates an automatic download of a Trojan masked as a version of Adobe Flash version 9. The Trojan, which Sophos calls Mal/Behav-027, could compromise users' data and lead to identity theft, Cluley warns.

Websense is also warning users of an Obama-disguised attack, but according to its report, some of the email lures promise a video interview with Obama's advisers, while others promise the "amazing speech."

"The email actually contains links to a file called 'BarackObama.exe' hosted on a compromised site," a Websense spokesman said. "The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim's PC. Major antivirus vendors are not detecting this threat."

In some variations of the email attack, cybercriminals are using well-known publishing names such as Time Magazine and La Republica (Peru) in the email subject line to encourage users to click on the links, Websense says. "We are seeing many variations of this attack, and the numbers of emails are growing by the thousands by the hour," said Dan Hubbard, CTO at Websense.

Some of the email attacks contain links to a file called "BarackObama.exe," which is hosted on a compromised travel site, Websense says. The file is an information-stealing Trojan Horse downloader. Upon execution, files called "system.exe" and "firewall.exe" are dropped into the victims' system directory, and a phishing kit is unpacked locally, dropping files bound to startup. The "hosts" file is also modified.

In another variation, victims who click on the link go to a purposely registered domain that advises them to install the latest version of the Adobe Flash player before the video can be viewed. The malicious Website actually links to a file called "adobe_flash.exe," which is really a Trojan Horse packed with ASPack. "Upon execution, a rootkit is installed on the compromised machine, and the victim's data is sent to multiple command and control servers," Websense says.

All three vendors acknowledged there is nothing novel about attacks that play on users' interest in the presidential elections. "While it hardly surprises security specialists that a new wave of infectious emails are swamping mailboxes everywhere, the depth, duration, and lack of dignity [of this particular attack] does," Cloudmark wrote.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights