Obama Speech Trojan

November 5, 2008

SonicWALL UTM Research team observed a new spam campaign which uses yesterday's US election as a social engineering mechanism to install a Trojan.

The email appears to be from news@bbc.com with the subject "Priorities for the New President". The email contents is

------------------
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
---------------

Some other subjects used are:

  • Barack Obama wins
  • Can Obama win popular vote but lose election?
  • Did Obama Win Yet?
  • Election 2008: Time lapse of U.S. counties
  • Election Center 2008 - Election Results
  • Election Night Results
  • Fear of a Black President
  • Obama win an Electoral College majority
  • Obama win Defined by Race
  • USA Election 2008 Results
  • World Welcomes Obama's Win

Link goes to one of these fast-fluxed domains (bfiinwach.com, gerimumsoe.com, lopbiuemis.com,vcoenutrmsi.com, wconlinenrue.com)

If the link is clicked a Adobe_flash9.exe is served to the user. It is 31,232 bytes in size and is compressed by ASPACK executable packer. It drops itself in %Windir%9129837.exe and drops a rootkit in %Windir%new_drv.sys, which it installs as a new kernel-mode driver.

It also modifies the registry: 

 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] ttool = "%Windir%9129837.exe"

so that 9129837.exe runs every time Windows starts

Trojan then connects to HTTP on 91.203.93.57 (which is hosted in Ukraine) and issues the following GET requests:

  • cgi-bin/options.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000
  • cgi-bin/cmd.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000

It is exfiltrating stolden userids and passwords to the above IP.

The Trojan is also known as TrojanSpy:Win32/Ursnif.gen!D (Micorosft) and Mal/Heuri-E (Sophos).

SonicWALL has released a GAV signature to protect against this threat: GAV: Games.C (Trojan)