President-elect Barack Obama Fake Website: pushing malware

I originally published this blog at http://community.ca.com/blogs/securityadvisor

January 17 2009, 03:06 PM         by         Benjamin Googins

On Friday, we started observing a new spam email campaign that uses the very timely event of the inauguration of President-elect Barack Obama as the social engineering hook.  The scheme uses emails spammed from infected computers; the emails include a hyperlink to a fake website that appears  nearly identical to barackobama.com.  The fake websites links to a trojan downloader, and a bot file that spams other computers and expands the bot network.

Here is what some of the emails look like:

and

and

Clicking the link in these emails, takes the user to a fake website that looks almost identical to barackobama.com.  The fake website looks like this:

Compare that with the legitimate site, barackobama.com, here:

Every single link in the fake site connects to a trojan downloader.  The filename for this downloader changes frequently.  During my testing I saw filenames like pdf.exe, artice.exe, etc.  A related process installs another downloader on the user’s PC with a random filename, for example, 1pau7dt9.exe.  If a user clicks any link on the fake page, they are will get a file download box like:

Once the file is downloaded, the system begins acting as a bot and starts spamming other computers with similar emails to those seen above.  The infected computer begins sending emails, similar to the ones shown above, to other email addresses.  The network traffic for that looks like this:

In the circled areas you will see the originating and destination email address (sanitized to protect privacy) and the message body that is spammed.  This scheme works to quickly build the bot network.

The infection also creates a number of registry keys like these:

HKEY_CURRENT_USER,”Software\Microsoft\Windows\CurrentVersion\Telephony\Cards\Card0″

HKEY_CURRENT_USER,”Software\Microsoft\Windows\CurrentVersion\Telephony\Cards\Card1″

HKEY_CURRENT_USER,”Software\Microsoft\Windows\CurrentVersion\Telephony\Cards\Card10″

The downloader installed on the PC was located here: c:\Documents and Settings\Administrator\Local Settings\Temp\1pau7dt9.exe

It is my assumption that this trojan downloader will pull down additional malware at some future point, possibly a rogue anti-malware product.

As always, be very cautious about clicking links in emails, regardless if the sender is a “trusted source” (friends, family, colleagues, etc).

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

2 people have left comments:

The question is not IF there will be an interdiction of Obama’s Presidency by the Supreme Court, the questions are WHEN and HOW that interdiction will transpire — that is, if the USA is to continue as the Constitutional Republic that now exists.

Posted by:  Ted, January 18, 2009 5:24 PM

Dumb question I guess. So I clicked the link in one of these e-mails, went to the fake site, looked around thinking it looked strange and clicked on a “story”. When I got the dialog box asking if I wanted to download a file and saw the .exe, I freaked out and exited the site having realized what I was dealing with. So, do I now have a virus, worm or whatever, or would I have had to proceed to open the file? In other words, could I be infected just by having linked over to the fake site?

I’m so embarrassed that I fell for this!

Thanks.

Posted by: Kirsten, January 20, 2009 2:02 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s