Malware Attacks Posing as Campaign Videos

By Matthew Hines  |  Posted 2008-09-29 Print this article Print

Apparently Saturday Night Live isn't the only constituency seeking to profit by tying its fortunes to presidential-themed video clips these days.

In addition to the highly publicized skits that SNL has produced in the last several weeks that have parodied the presidential and vice presidential candidates and generated a torrent of interest online, cyber-criminals are also ramping up their efforts to tap into the ongoing race to pad their wallets and add to their networks of infected endpoints.

According to a report published by anti-spyware specialist company Webroot on Sept. 29, researchers at the company have charted a rapid increase in the volume of infected files being distributed, in particular via peer-to-peer file-sharing networks, which have been disguised as campaign-oriented content.

Webroot specifically warned users to beware of malware files being propagated in files labeled as McCain and Obama campaign videos. Among the P2P networks that the company reported that it has seen large amounts of the infected presidential-themed files being traded on is Gnutella, which is accessed by many users of FrostWire and LimeWire.

Webroot said a targeted search of the FrostWire network found some 34 search results for "Obama Speech," 14 of which contained some form of active malware, while five of the 19 results found for "McCain Speech" were found to be carrying malware.

In addition to the timely social engineering tactics being employed by the attackers, the tainted files further illustrate the dangers of using P2P networks, many of which retain some veil of secrecy to avoid prosecution over copyright violations.

"Peer-to-peer networks pose some of the greatest security risks on Internet," Paul Piccard, director of threat research at Webroot, said in a statement. "Because P2P networks lack the security measures found in enterprise networks or trusted Web sites, users of these networks may put themselves or their companies at increased risk by downloading malicious content or leaking confidential data."

Webroot reported that the most common malware variant spreading through the presidential-campaign video attacks is W32/Zipwire, a well-established Trojan downloader.

Typically affected users have downloaded an infected .zip file that has been advertised as carrying the campaign video, featuring names such as "Democratic Convention 2008 -- Barack Obama Acceptance"

The .zip files instead contain executable files (such as Setup.exe) that when run infect the host machine with random malware, including rogue anti-virus applications, which in turn pretend to detect security issues on infected machines in an attempt to lure users to buy rogue AV applications for disinfection.

In some cases the files also include as password stealers and backdoor infections, Webroot experts said.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel