President-elect Barack Obama’s campaign leveraged social networking all the way to victory in last night’s election. But Obama’s online presence has attracted some problems, too.
Hackers are sending out spam e-mails in English and one in Spanish linking to a Web site purporting to contain a video showing an interview with Obama’s advisors. Clicking on the video downloads a Trojan, said security vendor Websense (NASDAQ: WBSN).
“The e-mail actually contains links to a file called ‘BarackObama.exe’ hosted on a compromised site. The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victim’s PC.” What’s more, said Dan Hubbard, chief technology officer for Websense, major anti-virus vendors are not detecting this threat.
The Spanish- and English-language spam attacks use new Trojans, and users will find it difficult to protect themselves because of this, Hubbard told InternetNews.com.
“None of the major antivirus vendors’ products we tested were covering for the Spanish-language Trojan, and only five out of 20 vendors’ products we tested covered the English-language one.”
The spams use a variety of headlines linked to Obama. One has the headline McCane (sic) vs Obama, war started. Clicking on it takes the recipient to a Web site for Canadian Pharmacy asking the visitor to click on a link. Canadian Pharmacy is one of the spammers most familiar to antivirus experts, Hubbard said.
The Spanish-language e-mail spam is the simpler of the two attacks, Hubbard said, because it only steals victims’ online banking credentials. It is aimed at users in Latin America, he added.
Maximizing the hit
Hubbard said the English-language worm not only steals online banking credentials, but also opens up a backdoor and downloads another piece of code that lets it track Web sites the victim visits and what the victim downloads. It also uses fast flux, a technology that brings up a new server if the current one is blacklisted by Internet service providers (ISPs) for spamming.
Fast flux is becoming increasingly popular as a tool for cybercriminals because it provides robustness and anonymity, Fortigard Global security researcher Derek Manky told InternetNews.com. Cybercriminals who use fast flux usually run botnets, rings of zombie computers that have been taken over by viruses, he added.
Such botnets are difficult to track down because they are rented to cybercriminals by people specializing in setting up botnets. A federal grand jury in August charged Brazilian national Leni de Abreu Neto for allegedly being involved in a botnet ring that maintained, leased and sold a botnet of more than 100,000 computers worldwide.
Spotting a spam e-mail is easy because these use very long domain names, Manky said. “Top level domain names usually have three segments, like www.google.com, but we’ve seen seven or more segments in these spam domain names,” he explained. That is because cybercriminals automatically generate domain names so they can register them by the thousands to ensure their networks can stay up even when servers are taken down by ISPs.
The complexity of the attacks in the English-language e-mails is not new, Websense’s Hubbard said. “We’ve seen the same characteristics with different lures over the past six to eight months, ranging from UPS (NYSE: UPS) shipping invoices to using different personalities in the entertainment industry,” he explained.
In August, an e-mail malware campaign sent out more than 21 million spam e-mails claiming to be notification of non-delivery from FedEx (NYSE: FDX) in 24 hours.
Hubbard said the English-language spam is flooding the Web, while the Spanish e-mail spam is a low-level threat, with only about 1,500 being generated in the past few hours.
“We’ve seen more than 30,000 unique English-language e-mails coming through in the past hour, using a couple of dozen domain names, all registered yesterday,” Hubbard said. He predicted that hundreds of thousands of these e-mails would be sent out by the end of the day based on these figures.
Meanwhile, Newsweek is reporting that the computer systems of both Presidential candidates had been hacked back in August. This followed an attack in April that redirected traffic from Obama’s site to then arch-rival Senator Hillary Clinton’s, leading the Obama campaign to advertise for a network security expert the following month.
According to Newsweek, the White House and the FBI informed Obama that a foreign entity was behind the attacks. The White House and Obama’s press people had not responded to requests for comment by press time, and FBI spokesperson Paul Bresson declined comment.