2008 Presidential Malware review
Thursday November 6, 2008 at 5:39 am CST
Posted by Oliver Devane
Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.
Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.
One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.
The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].
A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.
Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]
Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.
We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.