Wednesday, November 05, 2008

Computer Virus masquerades as Obama Acceptance Speech Video

Less than twelve hours after President-Elect Obama's historic acceptance speech, computer criminals have already crafted a malware attack based on the speech. The UAB Spam Data Mine has observed more than 300 spam messages which invite email readers to view the speech with a spam message that looks like this:

Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.



The spam subject lines include:

A new president, a new congress ...
Barack Obama wins
Can Obama win popular vote but lose election?
Did Obama Win Yet?
Election 2008: Time lapse of U.S. counties
Election Center 2008 - Election Results
Election Night Results
Fear of a Black President
New president's
Obama win an Electoral College majority
Obama win Defined by Race
Obama win preferred in world poll
Obama win sets stage for showdown
Obama Wouldnt Be First Black President
Obama's Win Reshapes the Race
Priorities for the New President
Priorities for the New President - TIME
The new President's cabinet?
USA Election 2008 Results
Will American Voters Elect a Black President
World Welcomes Obama's Win

The Sender of the email pretends to be one of:

news@cnn.com
news@usatoday.com
news@online.com
news@c18-ss-1-lb.cnet.com
news@president.com
news@unitedstates.com
news@bbc.com


using sender names such as:
2008 president center
Election results
Elections center
Election Results center
President election results

There are five different websites which are used to host the fake website, each of which looks exactly like this:



The domain names used in this attack are:

bfiinwach.com - registered November 4th, BizCN.com
gerimumsoe.com - registered November 4th, BizCN.com
lopbiuemis.com - registered November 4th, BizCN.com
vcoenutrmsi.com - registered November 4th, BizCN.com
wconlinenrue.com - registered November 4th, BizCN.com

(the domain spritsonline.net is also owned by this criminal and is used to host the NameServer for the other five domains.)


The spam message sends users to the page "president.htm" which claims that you need a new Adobe_flash9.exe player in order to view the video.


The virus has been reported to VirusTotal.com, where it was first reported at:

11.05.2008 17:24:35 (CET)

Currently 14 of 36 anti-virus products represented at VirusTotal have detection for this version of the malware, which is a keylogger in a family sometimes called "SnifULA".

The virus file is 31232 bytes in size, and has the MD5 value: 47c86509a78dc1edb42f2964bea86306

This is the same keylogger family which has been behind all of the Digital Certificate bank malware that we have reported to you on so many occasions previously, including yesterday's story on the malware pretending to be a merger letter regarding Wachovia and Wells Fargo.

As evidence of that, we offer the fact that the five domains above are all being hosted on a fast flux network, and that many of the compromised home computers in that network have also hosted the domains for yesterday's Wachovia/WellsFargo malware.

Student Malware Analysts in the UAB Computer Forensics department have analyzed the malware and indicate that the stolen login credentials are being sent to the Ukraine. The virus steals userids and passwords, and posts them to this IP address:

91.203.93.57

IP Location: Ukraine Ukraine Pool For Co-location Customers
IP Address: 91.203.93.57
Blacklist Status: Clear
Whois Record

inetnum: 91.203.93.1 - 91.203.93.128
netname: ZHITOMIR-NET
descr: pool for co-location customers
country: UA
admin-c: ML7676-RIPE
tech-c: ML7676-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
source: RIPE # Filtered

person: Mark Liberman
address: Kiev, Ukraine
e-mail:
phone: +380963801326
nic-hdl: ML7676-RIPE
source: RIPE # Filtered

Our friend Dan Clemens put one of those Chinese-registered domain names in a Fast Flux Tracker that he runs over at Packet Ninjas. During a one hour sample, the domain shifted between these IP addresses:

85.178.195.97 - Germany (alicedsl.de)
86.61.25.118 - Slovenia
87.14.145.40 - Italy
91.134.32.34 - Bulgaria
78.51.119.191 - Germany (alicedsl.de)
218.162.48.180 - Taiwan
79.117.203.200 - Romania (rdsnet.ro)
83.24.1.90 - Poland (tpnet.pl)
85.178.200.3 - Germany (alicedsl.de)
90.183.68.7 - Czech Republic (iol.cz)
83.24.21.128 - Poland (tpnet.pl)
87.207.9.23 - Poland (chello.pl)
79.114.224.222 - Romania (rdsnet.ro)
80.193.151.216 - UK (blueyonder.co.uk)



As always, we recommend that you do not follow links received in email, but rather type the name of a reputable news website in your browser if you would like to see the news.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.