Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Online Miscreants Swept Away by Obamania

Created: 19 Jan 2009 15:44:00 GMT • Updated: 23 Jan 2014 18:38:11 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

In previous blog postings, I talked about politically themed online malicious activity, focusing on what we observed during the recent U.S. presidential election cycle. Even though the election itself has long since been over, we are continuing to see similar political themes in today’s attacks.

As anticipation builds around President Elect Barack Obama’s upcoming inauguration ceremony, Symantec’s Threat Intelligence team analyzed a new wave of malicious spam messages with a “Presidential theme” that found their way into one of our vast number of global sensors.

The corresponding emails have subjects and bodies similar to the following:

Subject: You must look at this!
 
Our new president has gone

Yours truly,
Dan Harrison
---

Subject: Breaking news
 
Barack Obama refused to be the president of the United States of America
 
Yours Sincerely,
Cecily Lynn
---

Subject: Breaking news

There is no president in the USA anymore
 
With kind regards,
Edgar Rouse
---

Subject: What is going on with our country?
 
Obama has gone

Yours faithfully,
Rodney Lynch
 

Each email also contains a hyperlink (retracted above for safety reasons) that, when clicked on, leads the user to the following Web page:

 
 
While the page looks strikingly similar to the official Obama-Biden campaign site, it is actually vastly different. The site first attempts to exploit weaknesses in your Web browser to surreptitiously install malicious software onto your machine. However, even if your machine is fully patched, the site hopes that your curiosity will get the better of you and every hyperlink on the site points to malicious content. The files you can download from the site take on a variety of names such as usa.exe, obamanew.exe, pdf.exe, statement.exe, barackblog.exe, and barackspeech.exe. Don’t let the myriad of names fool you; under the hood, the files are all otherwise identical. 

Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:
•    harvesting sensitive information on your computer
•    turning your machine into a spam zombie
•    establishing a back door on your computer that will allow it to be remotely accessed

Interestingly enough, this same piece of malicious software made the rounds not that long ago using various types of Christmas-related themes to trick its way onto your computer. This threat continues to demonstrate a well established practice among today’s attackers; namely, to trick you into infecting yourself through the use of enticing messages based on current events. 

Political themes play an especially prominent role in today’s online attacks because of their strong appeal among a wide audience. The one thing we can be certain of is that this particular incident is neither isolated nor likely to be the last one we see like it.

As we await what will be a truly historic presidential inauguration ceremony, don’t let your online safety and sensitive data become history as well!

Message Edited by Trevor Mack on 01-19-2009 07:54 AM