Now that the race to the US presidency has ended, where Barack Obama won by a landslide, the race for new Web threats related to his victory has now begun.
Trend Micro Research Manager Ivan Macalintal reports of spam messages that are currently being circulated to spread malware, within hours after Obama delivered his acceptance speech. The said spam messages pose as a news report about the election results and Obama’s speech:
Within the message is a link that would supposedly bring users to a news page that will show a video of the said speech. When clicked, the user is directed to the following page:
Of course, the video does not load and users are instead instructed to download the “most recent Adobe Flash Player” to watch the video, tricking users into clicking the link that serves the malicious file adobe_flash9.exe.
Obama’s victory marks a new political era, not only for the U.S., but also worldwide – truly one historical event that cybercriminals will not pass up in using for their social engineering schemes. The presidential race may have ended, but for cyber criminals, it’s a brand new race for creating more Web threat attacks. As seen in the last year, several notable threats related to the U.S. elections alone have been reported. Cybercriminals will continue this trend while the world continues to watch over events about the new U.S. President.
Users are therefore advised to watch out as well for such threat attacks and employ online computing best practices (see Best Practices in this issue of Trend Micro First Line of Defense) to protect yourself against threats that employ social engineering. We expect more threats like this one in the future as a new US history unfolds itself.
Updated 8:21 PM PST: Macalintal points out further that this spam run is from the same group that sends fake bank certificate spam (targeting Wachovia, Bank of America, Merrill Lynch, and a German bank‘s account holders). The properties of this attack still suggest cybercriminals using a fast-flux network of compromised computers. This spam run is currently still underway as of this writing, using different subjects and fast-changing domains.
Updated November 6, 2008 6:20 PM PST: Further analysis reveals that TROJ_DLOADER.ISZ downloads an infostealer, TSPY_PAPRAS.AM, which in turn drops a rootkit component (the already familiar TROJ_ROOTKIT.FX) meant to hide its routines. TSPY_PAPRAS.AM dives into network packets to scour for passwords using Carnivore by searching strings like ftp, icq, imap, and pop3. It sends stolen information to a server in Ukraine.