Fake Obama sites prey on inauguration by distributing trojan

Share this article:
Updated Tuesday, Jan. 20, 2008 at 2:19 p.m. EST

Barack Obama was sworn in as president on Tuesday, but a new malware campaign wants you to believe otherwise.

Users are being lured to a number of malicious sites that look like Obama's official homepage but contain bogus news stories such as “Barack Obama refused to be the president of the United States of America” and “There is no president in the USA anymore.”

When the user clicks on one of the links, the malware -- identified as the Waledac trojan -- begins to download the necessary files to host the attack on the victim's computer, Ryan Sherstobitoff, chief corporate evangelist for Panda Security. told SCMagazineUS.com on Tuesday.

The goal of this exploit to build a bigger botnet, Fred Touchette, senior security analyst at anti-spam firm AppRiver, told SCMagazineUS.com.

“It could be pretty dangerous," he said. "The site is an exact mirror of the official Obama-Biden site."

Users are being lured to the site through a spam campaign that has been crafted to contain legitimate-looking news stories about the Obama inauguration, researchers said. The messages aim to lure users into clicking a link contained in the message, which sends users to the fake site.

Spammers and malware authors use any significant social event to entice users to follow links sent out through email, Ryan Barnett, director of application security research for Breach Security told SCMagazineUS.com Tuesday.

"In this case, any fake headlines about the Inauguration will be a hot lure right now," Barnett said.

There are a couple of steps needed to become infected — users must click a link in their email, click on one of the links on the site, download the malicious executable and execute it, Touchette said

The attack appears to originate from China and there are about 75 domain names associated with the Waledac trojan, according to a PandaLabs blog post. Online watchdog, the Shadowserver Foundation, has posted a full list of the domains that are associated with the malware and encourages users to block or avoid them.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.