Obama searching malware

Barack Obama

As if the torrent of malicious spam starring the Senator of Illinois wasn’t enough, those searching the internet earlier today for details of President Elect Barack Obama’s victory could have been in for a nasty surprise.

Sophos received reports that attackers had created a rogue website that was being returned in the sponsored links of a search engine’s results if you searched for information about Barack Obama.

Here’s a typical screenshot showing what you would have seen if you had searched for the phrase “Obama win”:

Search results

The malicious website appears to have been subsequently removed from the search results. However, if you had visited the advertisement what would have happened?

Well you would have been presented with a webpage like this:

Download page

As you can see it is a typical social engineering trick. I particularly like the ‘100% checked by Antivirus’ 🙂

If you were protected by Sophos’s security solutions, then nothing would have happened as the page is detected as being infected by Mal/Iframe-F.

Digging deeper, the bottom node would have attempted to load another website (for which I have updated our detection of Mal/Iframe-F) and that in turn would have tried to launch a dangerous PDF file that contains an exploit in Adobe Acrobat Reader (CVE-2007-5659).

Virus 'Mal/PDFEx-B' found in file XXXXXXXX.cn/cache/doc.pdf

My SophosLabs colleague Fraser Howard has previously talked about some uses of Mal/PDFEx-B.

The file that you are asked to download? Well I am currently analyzing it and I will update the blog once finished.

Of course, this is far from the first time that malicious hackers have planted dangerous links on search engines by paying for adverts. As always, our advice is for computer users to be on their guard, and keep their defences up-to-date.

Update: The file downlaoded (setup.exe) is now detected as Troj/Kango-F. Detection was published 5 November 2008 18:13:07 (GMT). Sophos customers running HIPS would have seen the following rules, HIPS/FileMod-001 and HIPS/ProcMod-002, file on this malware .