Obama Nobel Prize Spam Links to Malware and Drive-By

Exploits:

font size: decrease font size increase font size
Rate this article
View Comments
Related content

Just when I thought we weren't going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong. Spammers rarely disappoint when a juicy news story hits. It's like attracting flies to honey. This spam campaign calls into question whether or [...]

Just when I thought we weren’t going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong. Spammers rarely disappoint when a juicy news story hits. It’s like attracting flies to honey.

This spam campaign calls into question whether or not Barack Obama deserved to win the Nobel Prize and that significant fallout is being felt around the country as a result. The email then requests that the user click or copy/paste a link into their browser which will direct them to a website where they can download more information.

Obama Nobel Prize Spam

If the user clicks on the link in the email, they are brought to a site where an image of Barack Obama is shown to the user followed by a notification that their download will start shortly. Remember from the email the user believes that they are going to be downloading a report on the unrest created by Obama’s award acceptance.

Obama Nobel Spam Site

Five seconds after the page loads, the user is prompted to download an executable file named Obama_NobelPrize.exe. That is not the end of the story, however. Not satisfied with the possibility of the user suddenly realizing that they are about to download an executable file that they likely do not want, there is an extra bit of fun embedded within this page. Located at the bottom of the page is a little snippet of encoded Javascript that looks like this:

Encoded JS Script

Decoding this Javascript reveals that this page also attempts to silently load an iframe being hosted off of the tokyopharmm.com domain which attempts to load a series of PDF exploits to inject a password stealing trojan onto the user’s PC currently identified by McAfee as “Generic PWS.y!hv.i”.

This is another example of a situation where current news stories are being used as a vector to lure users into downloading malware. A popular tactic that has been repeated over and over, but continues to work due to its obvious successes. Even if you think you are going to outwit the malware authors by visiting their web site, but not downloading the executable that the page prompts you with, that doesn’t preclude the possibility that the page could be executing Javascript in the background which opens up other pages/sites via invisible iframes and testing your machine for other zero day vulnerabilities and exploiting them.

Read Full Article

Written on Wednesday, 14 October 2009 02:03 by GSO

Viewed 49 times so far.
Like this? Tweet it to your followers!

Published in Subscribe to the RSS feed of Network Security & Hacking News Network Security & Hacking News / Subscribe to the RSS feed of Global Security News Global Security News

Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Bugtraq: Re: /proc filesystem allows bypassing directory permissions on Linux posted on Monday, 29 November 1999 16:00
Re: /proc filesystem allows bypassing directory permissions on Linux
Vuln: IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability posted on Monday, 26 October 2009 12:00
IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability
Bugtraq: Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow. posted on Monday, 29 November 1999 16:00
Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow.
Bugtraq: Rising Multiple Products Local Privilege Escalation Vulnerability posted on Monday, 29 November 1999 16:00
Rising Multiple Products Local Privilege Escalation Vulnerability
Bugtraq: {PRL} Rising Firewall 2009 Privilege Escalation posted on Monday, 29 November 1999 16:00
{PRL} Rising Firewall 2009 Privilege Escalation

Latest 'tweets' from GovernmentSecurity

News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38

blog comments powered by Disqus

back to top