Friday, November 07, 2008

Election Malware Targets Sore Losers - McCain Video Loads Virus

We reported on Wednesday morning that Obama's historic victory was being used by cyber criminals in a spam campaign which attempted to trick email readers into watching a video of Obama's acceptance speech. Clicking the email link took readers to a website which seemed to have a video, but which prompted users to install "Adobe_Flash9.exe", which was not a video player upgrade, but actually a computer virus.

Today the spammer's have decided to take a more negative spin on their spam campaign. While "round one" of the malware seemed to try to appeal to those who were happy that Obama had won, "round two" is trying to trick the Haters into infecting themselves. More than 450 emails have already been received at the UAB Spam Data Mine with such negative subject lines as these:

Barack Obama can lost presidents chair
Barack Obama can lost President's Chair
Barack Obama in Danger - McCain will fight for president post
Barack Obama president resignation - 23/7 News
From Billy Mccain
IMPEACH Barrack Obama | USA government news
McCain Lawmakers Impeach Obama
McCain Lawyers Want to Stop Obama
McCain said today: 'Impeach Obama'
McCain strike against Obama political way
McCain vs Obama - There is a higher potential for confrontation between opposing political forces
McCain want to stop Obama
Moms who voted for Obama
Obama faces impeachment
Obama Impeachment Resources: McCain Look at the Impeachment Process
Obama vs McCain 'Political Strike' May Undermine Labor Group
Scandal: Obama Resignation Letter
Scandal: Re-elections John McCain Will be a Dictator?
Scandal: Re-elections John McCain will defeat Barack Obama
Scandal: Re-elections McCain will win
Scandal: Re-elections Obama: McCain Will Close With Attacks
Scandal: Re-elections Why John McCain will keep fighting
Scandal: Re-elections Why McCain Will Win
The Impeachment of new president Obama
Video: Obama post-resignation speech
Why MccAin Want to Stop Obama From president vacancy?
WScandal: Re-elections hich John McCain will show up to debate?


The website looks like this: (Click the image for a larger version)




As before, the domain names are all newly registered with in China with the Registrar Bizcn.com. The domain names now are:

baraokl.com
oritrsunwart.com
preibrsu.com
serensy.com

Visiting any of the webpages will cause the same "pop-up" which claims that an update is needed to the "Adobe Media Player". Its NOT the same executable that was being used Wednesday morning, but a "re-packing" of the same malware. In other words, it does the same thing, but its still going to need new anti-virus signatures to detect it.

The virus this time around is

File size: 25173 bytes
MD5...: 642a588272e9fe723fb2f1dd8fccede5

Here's a link to the VirusTotal report which shows 22 of 36 AV products currently detect this version of the malware.

Students studying computer forensics at UAB have analyzed this version of the malware and confirmed that the stolen data is sent to the same Ukrainian computer address as the original Obama acceptance speech video and the recent Colonial Bank Digital Certificate malware, 91.203.93.57.

We've sent a request for cooperation for shutdown to the abuse address of record for that IP, abuse@uatelecom.com.ua (good luck, right?)

The malware is hidden on the computer with the name: \9129837.exe and invoked whenever Internet Explorer is active on the computer.

Stolen userids and passwords are sent to the Ukrainian computer using strings that follow this pattern:

http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x
URL: sniffer_ftp_%s
ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
URL: sniffer_pop3_%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
URL: sniffer_imap_%s
imap_server=%s&imap_login=%s&imap_pass=%s
URL: sniffer_icq_%s
icq_user=%s&icq_pass=%s

The packer used to make it more difficult to analyze the malware is called "FSG".

Bottom line - don't click on links in email. If you DID click on this link, you need very badly to check out your computer for potential malware.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.