Obama Speech Trojan
SonicWALL UTM Research team observed a new spam campaign which uses yesterday's US election as a social engineering mechanism to install a Trojan.
The email appears to be from firstname.lastname@example.org with the subject "Priorities for the New President".
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
Some other subjects used are:
- Barack Obama wins
- Can Obama win popular vote but lose election?
- Did Obama Win Yet?
- Election 2008: Time lapse of U.S. counties
- Election Center 2008 - Election Results
- Election Night Results
- Fear of a Black President
- Obama win an Electoral College majority
- Obama win Defined by Race
- USA Election 2008 Results
- World Welcomes Obama's Win
Link goes to one of these fast-fluxed domains (bfiinwach.com, gerimumsoe.com, lopbiuemis.com,vcoenutrmsi.com, wconlinenrue.com)
If the link is clicked a Adobe_flash9.exe is served to the user. It is 31,232 bytes in size and is compressed by ASPACK executable packer. It drops itself in %Windir%9129837.exe and drops a rootkit in %Windir%new_drv.sys, which it installs as a new kernel-mode driver.
It also modifies the registry:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] ttool = "%Windir%9129837.exe"
so that 9129837.exe runs every time Windows starts
Trojan then connects to HTTP on 184.108.40.206 (which is hosted in Ukraine) and issues the following GET requests:
It is exfiltrating stolden userids and passwords to the above IP.
The Trojan is also known as TrojanSpy:Win32/Ursnif.gen!D (Micorosft) and Mal/Heuri-E (Sophos).
SonicWALL has released a GAV signature to protect against this threat: GAV: Games.C (Trojan)