President-elect Barack Obama's campaign leveraged social networking all the way to victory in Tuesday night's election. But Obama's online presence has attracted some problems, too.
Hackers are sending out spam e-mails in English and one in Spanish linking to a Web site purporting to contain a video showing an interview with Obama's advisors. Clicking on the video downloads a Trojan, said security vendor Websense (NASDAQ: WBSN).
"The e-mail actually contains links to a file called 'BarackObama.exe' hosted on a compromised site. The file is a Trojan downloader, which upon execution drops files into the system directory and unpacks a phishing kit, compromising all data on the victims PC." What's more, said Dan Hubbard, chief technology officer for Websense, major anti-virus vendors are not detecting this threat.
"None of the major antivirus vendors' products we tested were covering for the Spanish-language Trojan, and only five out of 20 vendors' products we tested covered the English-language one."
The spams use a variety of headlines linked to Obama. One has the headline McCane (sic) vs Obama, war started. Clicking on it takes the recipient to a Web site for Canadian Pharmacy asking the visitor to click on a link. Canadian Pharmacy is one of the spammers most familiar to antivirus experts, Hubbard said.
The Spanish-language e-mail spam is the simpler of the two attacks, Hubbard said, because it only steals victims' online banking credentials. It is aimed at users in Latin America, he added.
Maximizing the hit
Hubbard said the English-language worm not only steals online banking credentials, but also opens up a backdoor and downloads another piece of code that lets it track Web sites the victim visits and what the victim downloads. It also uses fast flux, a technology that brings up a new server if the current one is blacklisted by Internet service providers (ISPs) for spamming.
Fast flux is becoming increasingly popular as a tool for cybercriminals because it provides robustness and anonymity, Fortigard Global security researcher Derek Manky told InternetNews.com. Cybercriminals who use fast flux usually run botnets, rings of zombie computers that have been taken over by viruses, he added.
Such botnets are difficult to track down because they are rented to cybercriminals by people specializing in setting up botnets. A federal grand jury in August charged Brazilian national Leni de Abreu Neto for allegedly being involved in a botnet ring that maintained, leased and sold a botnet of more than 100,000 computers worldwide.
Spotting a spam e-mail is easy because these use very long domain names, Manky said. "Top level domain names usually have three segments, like www.google.com, but we've seen seven or more segments in these spam domain names," he explained. That is because cybercriminals automatically generate domain names so they can register them by the thousands to ensure their networks can stay up even when servers are taken down by ISPs.
The complexity of the attacks in the English-language e-mails is not new, Websense's Hubbard said. "We've seen the same characteristics with different lures over the past six to eight months, ranging from UPS (NYSE: UPS) shipping invoices to using different personalities in the entertainment industry," he explained.