Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2009
02:54 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Fake Obama Web Site Reportedly Builds Botnet

The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story titled "Barack Obama has refused to be a president."

With so much attention being paid to the physical security at the inauguration of President Barack Obama, cybersecurity concerns appear to have been largely discounted, even as inauguration-related online attacks have surged.

"DHS and the FBI have no credible information indicating a cyber threat to the inauguration," the 56th Presidential Inauguration Joint Threat Assessment (JTA) stated.

Yet even if the event itself appears to have been adequately protected from cyber disruption, it remains unclear how far the government should go to warn Internet users about online risks related to America's change of administration.

The JTA acknowledges that government networks face an increasing number of cyberattacks. "On 7 November 2008, open-source reporting indicated foreign cyber attackers downloaded large quantities of information from the Presidential campaign networks, which intelligence analysts believe was an attempt to learn more about the candidates' policy positions," the report stated.

And it's not just government networks under assault. On Thursday, US-CERT warned of a rising number of phishing and spam attacks related to the presidential inauguration, a pattern that now follows all widely reported current events.

Sure enough, the phishers and scammers have come out of the woodwork to try to exploit people's interest in America's new president.

PandaLabs over the weekend reported that its researchers had detected a botnet-driven malware campaign impersonating then President-elect Obama's Web site. "The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story entitled, 'Barack Obama has refused to be a president,' " wrote PandaLabs security research Sean-Paul Correll in a blog post. "When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victim's computer."

Security researchers at Marshal observed the same scam and attribute it to the Waledac worm, which they say is the successor to the Storm worm. "Waledac first appeared around Christmas time with an e-card theme," the Marshal blog explains. "This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet."

Symantec researcher Zulfikar Ramzan has also posted a blog entry about this worm. "This threat continues to demonstrate a well established practice among today's attackers; namely, to trick you into infecting yourself through the use of enticing messages based on current events," he said, adding that we're likely to see many more such attempts to leverage civic engagement as an attack vector.

Fred Touchette, senior security analyst at AppRiver, suggests government warnings could be louder. "Any warning they give would be beneficial because [the malware is] getting so rampant," he said in a phone interview.

Touchette said the Waledac worm appears to be an attempt build a new botnet from the same group that built the Storm botnet, which is now in decline. He said the Waledac botnet isn't very large at the moment because his company has only detected some 150,000 to 200,000 related spam messages.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.