Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 10 November 2008

Election Malware and Obama Pill Ads?

Posted on 08:46 by Unknown
Just a quick post to update the situation we described in our previous posts that we are now thinking of as Election Malware Round One and Election Malware Round Two. Round One was the Obama Acceptance Speech video and Round Two was the McCain video. Technically, I guess that means we are currently looking at Round Two B, since the webpage hasn't changed - we just have a fresh batch of domain names.


Election Malware: Round Three


We made contact over the weekend with a real live human at Bizcn.com, who terminated all the domains listed above. Unfortunately, the spammer created new ones and this morning (10NOV08) at 7:52 AM we began to see his latest round of spam. In the first three hours of this spam campaign, the spam is evenly split between three domains created last night:

- miteodemo.com
- oirerbio.com
- demovideons.com

All three domains use the nameserver ns1.vistausan.com, which was also freshly registered last night at bizcn.com.

Computers which are currently hosting proxy redirectors for the domains above also provided redirection services for some of the "Round two" domain names. Some examples currently hosting would be:

118.219.111.107
190.47.161.2
221.184.68.214
89.36.135.102
91.90.229.209

But these are "fluxing" - they will change over the course of the hours as we wait for bizcn.com to shut down these newest domains and their nameserver domain. The shutdown request, in Chinese and English, was sent just now (10:40 AM Central Time)

Barack Sex Video malware


The only other piece of malware we are seeing delivered via election headlines is a very well detected trojan claiming to be a Barack Obama sex video. The great majority of products detect this malware at VirusTotal.com.

The porn video attachment name we are seeing most often is "zeland-01.zip".

Michelle Obama's Name used in Pill Spam


Why anyone would think that email recipients would buy Viagra after reading headlines like these is beyond my comprehension. Two heavily spammed subjects today used to sell Canadian Pharmacy pills are tied to Michelle Obama's name.

All of these 20 domain names were seen advertised in spam using the subject "Bush kills Michelle Obama":

bxoaxcs.cn
cpknetj.cn
cvmovzf.cn
fihithm.cn
hddbzqq.cn
imvbokv.cn
ixwewyi.cn
kycsgsf.cn
lrlbbgf.cn
pagegim.cn
ppnbokc.cn
rornzxl.cn
rzbopdh.cn
rzrsaak.cn
szosojb.cn
teqixyb.cn
ticewyt.cn
umcaxtx.cn
wjqsclb.cn
wplbhdi.cn

These 26 domains names were all used in spam with the subject line "Michelle Obama nude":

aojeyer.cn
cnrogvy.cn
dlyumlv.cn
dvrujfi.cn
fqosaeq.cn
gohbrtf.cn
iemokpg.cn
ihyefos.cn
ixwewyi.cn
kuxulne.cn
kxhoyed.cn
kzinwkm.cn
mmaagwd.cn
oaleqte.cn
ocbibxf.cn
rnjonlg.cn
rzrsaak.cn
sujidbk.cn
syootqj.cn
tomnhac.cn
uqpnjrn.cn
uwkajlr.cn
wjqsclb.cn
xyynwye.cn
zgmnvfe.cn
zyuunvw.cn

Each of those domain names actually forwards to another domain name when visited, which sells Canadian Pharmacy pills. Spammers use this technique to remove their spam from website orders from the domains they control, because some affiliate programs actually do refuse payment from those who can be shown to be spamming. By using this forwarding technique, spammers can claim their domains were NOT used in spam messages.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • Amero to Replace Dollar? Could Storm Worm Be Right?
    According to the newest version of the Storm Worm, the Amero is about to replace the dollar: The U.S. Government began to realize the plan t...
  • FAL$E HOPE$ @ CHRI$TMA$
    FAL$E HOPE$ was a Federal Trade Commission operation announced on December 12, 2006, which cracked down on Bogus Business Opportunities. C...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Minipost: NY Zeus "At Large" Codreanu and Adam captured
    We've previously posted about the FBI's Operation ACHing Mule (that's A-C-H as in Automated-Clearing-House, the way American ba...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ▼  November (17)
      • Mumbai Bombings: Coordinated Bombings in India are...
      • Bank of America Demo Account - DO NOT CLICK
      • AsProx: The Phisher King?
      • Igor Klopov sentenced
      • Facebook Users Beware
      • Enlisting YOUR BANK to steal your identity
      • Post McColo Spam - What do we see?
      • Unprecedented Drop in Spam
      • Internet Landfill: McColo Corporation
      • Microsoft Reveals Malware and Spam Trends
      • Election Malware and Obama Pill Ads?
      • Election Malware Targets Sore Losers - McCain Vide...
      • Yesterday's Obama Spammer Now Imitates Colonial Bank
      • Computer Virus masquerades as Obama Acceptance Spe...
      • ICE: Operation Predator - Solving Intertwined Chil...
      • More Merger Malware Wachovia Wells Fargo
      • MS08-067: New RPC Worm from China
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile