While the race to the US presidency has ended with Barack Obama winning by a landslide, the race for new Web threats related to his victory has now begun. Trend Micro Research Manager Ivan Macalintal reported of spam messages that started circulating to spread malware, within hours after Obama delivered his acceptance speech.
Says Amit Nath, Country Manager, India & SAARC, Trend Micro: "The spam which has so far affected computers in China, US and Japan, may come with a subject line like, 'Election Night Results' or 'Priorities for the New President' or 'Fear of a Black President'. The modus operandi of infecting is quite stealthy, which may lead several gullible users infected, the email invites readers to click on a link to watch Obama's speech, this link leads them to a make-believe website, 'America.gov'.
The video pane reads, 'Loading Player', and prompts to download Adobe Flash Player. To further make it look genuine, the site also provides the estimated time for downloading as 4-6 seconds! This tricks users into clicking the link that serves the malicious file adobe_flash9.exe."
Trend Micro detects the downloaded Trojan file as TROJ_DLOADER.ISZ of 3,261 bytes size. Trend Micro researcher Macalintal further points out that this spam run is from the same group that sends fake bank certificate spam (targeting Wachovia, Bank of America, Merrill Lynch, and a German bank's account holders). The properties of this attack still suggest cybercriminals using a fast-flux network of compromised computers. This spam run is currently still underway as of this writing, using different subjects and fast-changing domains.
Warns Nath: "Trend Micro analysis reveals that TROJ_DLOADER.ISZ downloads an infostealer, TSPY_PAPRAS.AM, which in turn drops a rootkit component which hides its routines. This infostealer dives into network packets to scour for passwords using Carnivore by searching strings like ftp, icq, imap, and pop3. It sends stolen information to a server in Ukraine. The Trojan is known to infect Windows 98, ME, NT, 2000, XP and Server 2003."
The malicious URL where this Trojan is downloaded is already blocked by the Trend Micro Smart Protection Network.
No comments:
Post a Comment