Jan18 |
1:48 pm (UTC-7) | by
Jake Soriano (Technical Communications) |
Earlier this week, we blogged about the range of Web threats that would take advantage of Barack Obama’s inauguration on the 20th. We mentioned fake news as a possible social engineering ploy and cybercriminals did not disappoint. They were a little early in fact: Trend Micro Advanced Threats Researcher Paul Ferguson discovered bogus websites with headlines like Barack Obama has refused to be a president and links that lead to malicious executables.
Figure 1. This fake news website leads to malware.
Trend Micro detects some of the binaries (with file names like barack.exe and baracknews.exe for maximum effect) as WORM_WALEDAC variants – the same malware family that featured prominently in a spamming and malware operation just after New Year’s and which researchers believe is associated with bot giant Storm. WORM_WALEDAC variants are also notorious for their information-stealing routines.
Some of our detections include WORM_WALEDAC.KAX, WORM_WALEDAC.AE, WORM_WALEDAC.AH, WORM_WALEDAC.AG, WORM_WALEDAC.AD, WORM_WALEDAC.AL, TROJ_AGENT.DOZZ, TSPY_BANKER.BFE, TROJ_DLOADER.XGZ, BKDR_KRYPTIK.AB.
These malware are mostly hosted on domains that contain Obama-related key words. We found crafted web sites where all links lead to malware.
Users are advised to just trust known legitimate news websites for information.
Our engineers are still analyzing this threat further. We will post updates as soon as more information becomes available.
Update as of 18 January 2009, 8:00 PM PST
The following spammed email messages contain links that lead to fake Obama websites and ultimately to the download of WORM_WALEDAC.KAX:
Figures 2 & 3. These email messages also contain fabricated news reports.
WORM_WALEDAC.KAX steals email addresses by searching for these in files found in fixed, network, and RAM drives. It saves and encrypts a file containing its stolen information, and sends this file to several IP addresses using HTTP post. This worm also has backdoor capabilities. It opens random ports in an affected system to listen for commands from a remote user.
Update as of 20 January 2009, 9:00 PM PST
More malicious URLs purporting to be related to Barack Obama host another WALEDAC variant detected by Trend Micro as WORM_WALEDAC.AI. This worm has identical propagation and stealing routines as WORM_WALEDAC.KAX. Like the other worm, it also compromises system security by opening random ports, giving malicious users remote access.
Share this article |
 |
        |
Pingback: Of Bytes and Badges » Downadup / Conficker: the Storm on the Horizon
Pingback: Do Not Download Obama.exe [Obama] by Techno News Feed
Pingback: Do Not Download Obama.exe [Obama] | Techno Portal
Pingback: Information Security CG » Blog Archive » Beware the malware
Pingback: blog test via un flux rss google reader » Archives du Blog » Evitez de télécharger Obama.exe
Pingback: Gadget» Blog Archive » Do Not Download Obama.exe [Obama]
Pingback: (铁球) 和 (而皮) » Blog Archive » 驱动器的面包圈拥有Shmeer数据周边
Pingback: Day 1 of the new era [Link Cache] | Patriot Missive
Pingback: Epidemia de virus y malware relacionados con Obama | Materia Geek
Pingback: Gusano Barack.exe « Prisma Digital
Pingback: SPammer using Fake obama news site to spread virus and malware
Pingback: Evitez de télécharger Obama.exe - Gizmodo - Tant d'amour pour ces fabuleux nouveaux gadgets, c'est surnaturel.
Pingback: Free Gadget News » Fake Obama news sites, emails being used to spread malware
Pingback: Downadup/Conflicker: the Storm on the Horizon « Of Bytes and Badges