With Barack Obama’s inauguration just around the corner, it’s not surprising that we’re seeing spam use it as a lure, in particular to seed malware.
The campaign we’ve been seeing for the last few days has subject lines such as “Breaking news about Barack Obama”, “Have you heard latest news about Obama?” and “Sensational Obama’s speech” and bizarre messages that vary around a theme of “Barack Obama doesn’t want to be next president”, “Barack Obama abandoned us” and “The USA left without president”.
Following the link (there are a number of different domain names, all using fast-flux) takes you to a site we detect as Mal/WaledJs-A, which tries to get you to download an executable with a variety of filenames (for example speech.exe, blog.exe, readme.exe and barackblog.exe), and also tries to load a script (google-analysis.js) to download and execute this file automatically. The executable is another in the Waled family of malware, detected as W32/Waled-Gen or Mal/WaledPak-A.
The style and content of both the spam and the web pages indicate that the team behind Storm/Dorf is back again. But looking at the site itself, they seem to have taken the level of social engineering up a notch.
Here’s the fake site (click to enlarge):
Now compare that to Obama’s real blog:
As you can see, it’s a pretty good replica. The colours aren’t quite right, but you’d only really notice if actively comparing the pages. The account login at the top is a text box on the real site, while the fake site has just copied it as an image so looks a little grainy.
The most impressive thing for me is that there’s obviously some script behind the scenes in the fake site that’s parsing the real site, or possibly even just using the real site’s RSS, since the news items on the fake blog match those of the real blog … except of course for the top one – the real blog isn’t running any story about the inauguration being “under the threat of failure”, and as far as we’re aware Obama really hasn’t “refused to be a president”!