Content

Fake Obama sites prey on inauguration by distributing trojan

Updated Tuesday, Jan. 20, 2008 at 2:19 p.m. EST

Barack Obama was sworn in as president on Tuesday, but a new malware campaign wants you to believe otherwise.

Users are being lured to a number of malicious sites that look like Obama's official homepage but contain bogus news stories such as “Barack Obama refused to be the president of the United States of America” and “There is no president in the USA anymore.”

When the user clicks on one of the links, the malware -- identified as the Waledac trojan -- begins to download the necessary files to host the attack on the victim's computer, Ryan Sherstobitoff, chief corporate evangelist for Panda Security. told SCMagazineUS.com on Tuesday.

The goal of this exploit to build a bigger botnet, Fred Touchette, senior security analyst at anti-spam firm AppRiver, told SCMagazineUS.com.

“It could be pretty dangerous," he said. "The site is an exact mirror of the official Obama-Biden site."

Users are being lured to the site through a spam campaign that has been crafted to contain legitimate-looking news stories about the Obama inauguration, researchers said. The messages aim to lure users into clicking a link contained in the message, which sends users to the fake site.

Spammers and malware authors use any significant social event to entice users to follow links sent out through email, Ryan Barnett, director of application security research for Breach Security told SCMagazineUS.com Tuesday.

"In this case, any fake headlines about the Inauguration will be a hot lure right now," Barnett said.

There are a couple of steps needed to become infected — users must click a link in their email, click on one of the links on the site, download the malicious executable and execute it, Touchette said

The attack appears to originate from China and there are about 75 domain names associated with the Waledac trojan, according to a PandaLabs blog post. Online watchdog, the Shadowserver Foundation, has posted a full list of the domains that are associated with the malware and encourages users to block or avoid them.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.