Posted on Wednesday, November 5th, 2008 | Bookmark on del.icio.us

Obama Spam Malcode Campaigns

by Jose Nazario

At least two different malcode campaigns are afoot using the Barack Obama victory in yesterday’s U.S. presidential elections as the theme. They entice you to visit a website and then, oops, you need to download something:

Obama Malcode Spam

Sure enough, that’s a Papras variant. An infostealer, uploads to the Ukraine. Rootkit included.

Some of the domains are using fast flux hosting:

lopbiuemis_com.png

Click to enlarge.

Two, possibly three, different campaigns are afoot. Here are the URLs I’ve seen in my inbox spamtrap today, you can see that these are different styles of URLs suggesting different campaigns:

hxxp://selfservice.demystifying.sitesurvey.rr0nzLn8m.selfservice.customerlogin.1puTDHrOM.vcoenutrmsi.com/
president.htm?/productsremote/slapiservlet/OSL.htm?LOGIN=5RUnWrr0nz&VERIFY=Ln8mxN1puTDHrOM
hxxp://sitesurvey.memberverify.slapiservlet.MsjhYXouh.selfservice.memberverify.Vc5vE3oOC.lopbiuemis.com/
president.htm?/privatelogin/slapiservlet/OSL.htm?LOGIN=S5ZEoMsjhY&VERIFY=XouhveVc5vE3oOC
hxxp://comreportid.verifyonenet.portalserver.c91SJDrOw.slapiservlet.customerlogin.tlFqJUdfI.bfiinwach.com/
president.htm?/onlineupdate/memberverify/OSL.htm?LOGIN=K3IrVc91SJ&VERIFY=DrOwLutlFqJUdfI
hxxp://configlogin.onlineupdatemirror.sitesurvey.B7wAhptoO.securitychallenge.ptcontrol.8dBBSHuMF.wconlinenrue.com/
president.htm?/exacttrget/linkbrowse/OSL.htm?LOGIN=GwXLYB7wAh&VERIFY=ptoOqP8dBBSHuMF
hxxp://ynkkm.ideaever.com/
hxxp://glptiz.ideaever.com/
hxxp://xxbomm.ideaever.com/

And a Spanish-language campaign is afoot, too. Talk about piggy backing the news.

Around the net:

And many others.

Popularity: 1% [?]

This entry was posted on Wednesday, November 5th, 2008 at 8:54 pm and is filed under Attacks and DDoS Attacks, Malware, Spam, Spyware, Trojan Horses. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment