Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

"Sex Scandal" Spam Campaign Targeting US Presidential Election

Date:09.09.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered an emerging email campaign which uses the US presidential election as a social engineering mechanism to install information-stealing code on a victim's machine. With less than 2 months before the start of the election, emails are circulating with fake news of a sex scandal affecting one of the candidates. Recipients of the email are encouraged to view a video supposedly involving the Democratic candidate Barack Obama. Users who click the link are shown a pornographic video taken from hxxp://homemade*snip*.com/. While the video plays for 14 seconds, malicious applications are installed on the victim's machine.

Screenshot of example email:

The email encourages users to download and run obama-*snip*.exe The MD5 of the Trojan Dropper is 26B861DF715549C537C28E4D60D8D0B7.

Screenshot of pornographic video ran through Windows Media Player:

The dropper installs 809.exe in the user's Temporary Internet Files folder. Also a Browser Helper Object (BHO) named Siemens32.dll is registered. This is an information-stealing application that posts data to a compromised Finnish travel site, hxxp://*snip*-hotel.com/

Screenshot of code locations pointing to compromised Web site:

Websense customers are proactively protected against this latest attack as our ThreatSeeker Network identified a malicious IRS scam hosted on the same domain only last week:

Websense Messaging and Websense Web Security customers are protected against this attack.