Earlier this week, we blogged about the range of Web threats that would take advantage of Barack Obama’s inauguration on the 20th. We mentioned fake news as a possible social engineering ploy and cybercriminals did not disappoint. They were a little early in fact: Trend Micro Advanced Threats Researcher Paul Ferguson discovered bogus websites with headlines like Barack Obama has refused to be a president and links that lead to malicious executables.
Figure 1. This fake news website leads to malware.
Trend Micro detects some of the binaries (with file names like barack.exe and baracknews.exe for maximum effect) as WORM_WALEDAC variants – the same malware family that featured prominently in a spamming and malware operation just after New Year’s and which researchers believe is associated with bot giant Storm. WORM_WALEDAC variants are also notorious for their information-stealing routines.
Some of our detections include WORM_WALEDAC.KAX, WORM_WALEDAC.AE, WORM_WALEDAC.AH, WORM_WALEDAC.AG, WORM_WALEDAC.AD, WORM_WALEDAC.AL, TROJ_AGENT.DOZZ, TSPY_BANKER.BFE, TROJ_DLOADER.XGZ, BKDR_KRYPTIK.AB.
These malware are mostly hosted on domains that contain Obama-related key words. We found crafted web sites where all links lead to malware.
Users are advised to just trust known legitimate news websites for information.
Our engineers are still analyzing this threat further. We will post updates as soon as more information becomes available.
Update as of 18 January 2009, 8:00 PM PST
The following spammed email messages contain links that lead to fake Obama websites and ultimately to the download of WORM_WALEDAC.KAX:
Figures 2 & 3. These email messages also contain fabricated news reports.
WORM_WALEDAC.KAX steals email addresses by searching for these in files found in fixed, network, and RAM drives. It saves and encrypts a file containing its stolen information, and sends this file to several IP addresses using HTTP post. This worm also has backdoor capabilities. It opens random ports in an affected system to listen for commands from a remote user.
Update as of 20 January 2009, 9:00 PM PST
More malicious URLs purporting to be related to Barack Obama host another WALEDAC variant detected by Trend Micro as WORM_WALEDAC.AI. This worm has identical propagation and stealing routines as WORM_WALEDAC.KAX. Like the other worm, it also compromises system security by opening random ports, giving malicious users remote access.