Malicious Sites with Fake Obama News Infect Users with Malware

Spammers are luring victims to a malicious site with false reports by President-elect Barack Obama. The spam is being sent out by the Waledac botnet, which security researchers say is a reincarnation of the infamous Storm botnet.

It should come as little surprise that spammers are taking advantage of interest in Barack Obama, who is slated to be officially sworn in as the United State's 44th president today.

In the past few days, security vendors have reported spam with links to malicious Web sites. Clicking on the link will take users to a virtual replica of Obama's official site, except this one tries to infect visitors with variants of the Waledac Trojan.

The Waledac botnet is believed by some security researchers to be a resurgence of Storm, the botnet that plagued in-boxes throughout 2007 into 2008. According to SecureWorks, Waledac already has around 10,000 bots to its credit. During the holidays, Waledac made its presence felt by spamming greeting cards. Now, the botnet's controllers seem to have moved on to the news of the day.

The hackers have mimicked the official Obama Web site almost exactly and have registered domain names with their bogus content. According to a blog posting from Microsoft's Malware Protection Center, the domain names are typically made up of three words, the second of which is the name "Obama." The first may be "super" or "great"; the third may be "direct," "online" or "guide," according to the post.

The sites contain links with titles such as "Barack Obama Has Refused to Be President," and when users click on them they are infected with malware. "WORM_WALEDAC.KAX steals email addresses by searching for these in files found in fixed, network, and RAM drives," Trend Micro's Jake Soriano wrote on his company's blog. "It saves and encrypts a file containing its stolen information, and sends this file to several IP addresses using HTTP post."

The worm also has backdoor capabilities and opens random ports in an affected system to listen for commands from a remote user, he added.

Unfortunately for those interested in the incoming president, Obama has been a frequent target of spammers. During the election, Obama was featured in more spam messages than his Republican rivals-"winning" with more than 80 percent of Election Day-related spam, according to figures from Symantec's MessageLabs.

"Obama's predecessors-including Bill Clinton, George W Bush and even Ronald Reagan-have all been the subject of viruses in the past, and Barack Obama has not just seen malware using his name for social engineering purposes during last year's election campaign, but even his wife Michelle," noted Graham Cluley, senior technology consultant at Sophos, in a blog post. "My guess, however, is that during Barack Obama's time as president we'll see more malware using his name than any other president in history."