Spammers seeking to capitalize on nationwide interest in the Democratic presidential contest are sending out messages offering a link to a “Hillary Clinton video interview” that instead launches a trojan downloader on the victim’s PC.
Symantec, in a posting on its Security Response blog on Thursday, issued a warning to recipients of email messages bearing the subject line “Hillary Clinton Full Video !!!.” Clicking on a link provided in the message will install Trojan.Srizbi, a malicious rootkit trojan that directs the victim’s PC to acquire other spam messages and send them out.
The malicious link in the Clinton spam – which purports to deliver video of an interview with Hillary Clinton during a recent visit to Virginia – is disguised so that it appears to call up a google.com page, when it actually delivers the user to a malware site at canotrajetrilly.com, Symantec said.
Last fall, Symantec research director Oliver Friedrichs predicted that interest in this year’s presidential election also would draw the attention of cybercriminals, who were expected to mount campaign-themed phishing expeditions or deploy keylogging and hacking to attack their victims.
Symantec spam expert Doug Bowers told SCMagazineUS.com on Thursday that the fake Hillary Clinton messages delivered this week are merely the frontrunners in a malware campaign that is expected to grow as the November election approaches.
“We predicted there would be socially engineered spam for the election season and now it’s arrived. We’re seeing a low volume of this now, but we expect it to increase as we approach the election, and to use other candidates,” Bowers said.
According to Symantec, Trojan.Srizbi patches the TCP/IP network drivers chain to completely bypass firewalls, IDS systems and network sniffer tools. The rootkit also works in Windows Safe Mode.
Once installed, the trojan attempts to connect to a series of malware-laced URLs and download configuration files to send spam to email addresses contained in the configuration files. The threat runs only in kernel mode and uses rootkit techniques to hide files, registry keys and network connections.