Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 5 November 2008

Computer Virus masquerades as Obama Acceptance Speech Video

Posted on 09:41 by Unknown
Less than twelve hours after President-Elect Obama's historic acceptance speech, computer criminals have already crafted a malware attack based on the speech. The UAB Spam Data Mine has observed more than 300 spam messages which invite email readers to view the speech with a spam message that looks like this:
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.


The spam subject lines include:

A new president, a new congress ...
Barack Obama wins
Can Obama win popular vote but lose election?
Did Obama Win Yet?
Election 2008: Time lapse of U.S. counties
Election Center 2008 - Election Results
Election Night Results
Fear of a Black President
New president's
Obama win an Electoral College majority
Obama win Defined by Race
Obama win preferred in world poll
Obama win sets stage for showdown
Obama Wouldnt Be First Black President
Obama's Win Reshapes the Race
Priorities for the New President
Priorities for the New President - TIME
The new President's cabinet?
USA Election 2008 Results
Will American Voters Elect a Black President
World Welcomes Obama's Win

The Sender of the email pretends to be one of:

news@cnn.com
news@usatoday.com
news@online.com
news@c18-ss-1-lb.cnet.com
news@president.com
news@unitedstates.com
news@bbc.com


using sender names such as:
2008 president center
Election results
Elections center
Election Results center
President election results

There are five different websites which are used to host the fake website, each of which looks exactly like this:



The domain names used in this attack are:

bfiinwach.com - registered November 4th, BizCN.com
gerimumsoe.com - registered November 4th, BizCN.com
lopbiuemis.com - registered November 4th, BizCN.com
vcoenutrmsi.com - registered November 4th, BizCN.com
wconlinenrue.com - registered November 4th, BizCN.com

(the domain spritsonline.net is also owned by this criminal and is used to host the NameServer for the other five domains.)


The spam message sends users to the page "president.htm" which claims that you need a new Adobe_flash9.exe player in order to view the video.


The virus has been reported to VirusTotal.com, where it was first reported at:

11.05.2008 17:24:35 (CET)

Currently 14 of 36 anti-virus products represented at VirusTotal have detection for this version of the malware, which is a keylogger in a family sometimes called "SnifULA".

The virus file is 31232 bytes in size, and has the MD5 value: 47c86509a78dc1edb42f2964bea86306

This is the same keylogger family which has been behind all of the Digital Certificate bank malware that we have reported to you on so many occasions previously, including yesterday's story on the malware pretending to be a merger letter regarding Wachovia and Wells Fargo.

As evidence of that, we offer the fact that the five domains above are all being hosted on a fast flux network, and that many of the compromised home computers in that network have also hosted the domains for yesterday's Wachovia/WellsFargo malware.

Student Malware Analysts in the UAB Computer Forensics department have analyzed the malware and indicate that the stolen login credentials are being sent to the Ukraine. The virus steals userids and passwords, and posts them to this IP address:

91.203.93.57

IP Location: Ukraine Ukraine Pool For Co-location Customers
IP Address: 91.203.93.57
Blacklist Status: Clear
Whois Record

inetnum: 91.203.93.1 - 91.203.93.128
netname: ZHITOMIR-NET
descr: pool for co-location customers
country: UA
admin-c: ML7676-RIPE
tech-c: ML7676-RIPE
status: ASSIGNED PI
mnt-by: UATELECOM-MNT
source: RIPE # Filtered

person: Mark Liberman
address: Kiev, Ukraine
e-mail:
phone: +380963801326
nic-hdl: ML7676-RIPE
source: RIPE # Filtered

Our friend Dan Clemens put one of those Chinese-registered domain names in a Fast Flux Tracker that he runs over at Packet Ninjas. During a one hour sample, the domain shifted between these IP addresses:

85.178.195.97 - Germany (alicedsl.de)
86.61.25.118 - Slovenia
87.14.145.40 - Italy
91.134.32.34 - Bulgaria
78.51.119.191 - Germany (alicedsl.de)
218.162.48.180 - Taiwan
79.117.203.200 - Romania (rdsnet.ro)
83.24.1.90 - Poland (tpnet.pl)
85.178.200.3 - Germany (alicedsl.de)
90.183.68.7 - Czech Republic (iol.cz)
83.24.21.128 - Poland (tpnet.pl)
87.207.9.23 - Poland (chello.pl)
79.114.224.222 - Romania (rdsnet.ro)
80.193.151.216 - UK (blueyonder.co.uk)



As always, we recommend that you do not follow links received in email, but rather type the name of a reputable news website in your browser if you would like to see the news.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ▼  November (17)
      • Mumbai Bombings: Coordinated Bombings in India are...
      • Bank of America Demo Account - DO NOT CLICK
      • AsProx: The Phisher King?
      • Igor Klopov sentenced
      • Facebook Users Beware
      • Enlisting YOUR BANK to steal your identity
      • Post McColo Spam - What do we see?
      • Unprecedented Drop in Spam
      • Internet Landfill: McColo Corporation
      • Microsoft Reveals Malware and Spam Trends
      • Election Malware and Obama Pill Ads?
      • Election Malware Targets Sore Losers - McCain Vide...
      • Yesterday's Obama Spammer Now Imitates Colonial Bank
      • Computer Virus masquerades as Obama Acceptance Spe...
      • ICE: Operation Predator - Solving Intertwined Chil...
      • More Merger Malware Wachovia Wells Fargo
      • MS08-067: New RPC Worm from China
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile