Today we discovered a botnet controlled, fast-flux operated malware campaign
impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real
thing and attempts to bait viewers into clicking a story entitled, “Barack
Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer.
Excerpt: Barack Obama's inauguration that was
planned on 20th January 2009 is under the threat of failure. On the Eve of
Inauguration Day President-elect Barack Obama made statement. He declared that
he is definitely NOT ready for this position. Analysts say that Barack Obama
has refused to be next president because he recognized inconsistency of his
plan of stimulating USA
economy
The attack appears to have originated from China as the
domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY
CORPORATION. Xinnet has a history
of abuse problems and we have contacted them to remove the domain
names.
The file names of the malware are:
- doc.exe
-
statement.exe
-
obamaspeech.exe
-
blog.exe
- barack.exe
- usa.exe
- baracknews.exe
- pdf.exe
- news.exe
- obamasblog.exe
- barakblog.exe
- statement.exe
- president.exe
- obamanews.exe
Visual Representation
of the domains:
Fast-Flux Representation (1 of 40 domains):
Updated list to 75 domain names as of 1/20/09
Note: These domains
are included for informational purposes only.
Please do not attempt to visit the sites.
httx://bestbarack.com
httx://bestbaracksite.com
httx://bestchristmascard.com
httx://bestmirabella.com
httx://bestobamadirect.com
httx://bestyearcard.com
httx://blackchristmascard.com
httx://cardnewyear.com
httx://cheapdecember.com
httx://christmaslightsnow.com
httx://decemberchristmas.com
httx://directchristmasgift.com
httx://eternalgreetingcard.com
httx://expowale.com
httx://freechristmassite.com
httx://freechristmasworld.com
httx://freedecember.com
httx://funnychristmasguide.com
httx://goodnewsdigital.com
httx://goodnewsreview.com
httx://greatbarackguide.com
httx://greatmirabellasite.com
httx://greatobamaguide.com
httx://greatobamaonline.com
httx://greetingcardcalendar.com
httx://greetingcardgarb.com
httx://greetingguide.com
httx://greetingsupersite.com
httx://holidayxmas.com
httx://itsfatherchristmas.com
httx://jobarack.com
httx://justchristmasgift.com
httx://lifegreetingcard.com
httx://linkworldnews.com
httx://livechristmascard.com
httx://livechristmasgift.com
httx://mirabellaclub.com
httx://mirabellamotors.com
httx://mirabellanews.com
httx://mirabellaonline.com
httx://newlifeyearsite.com
httx://newmediayearguide.com
httx://newyearcardcompany.com
httx://newyearcardfree.com
httx://newyearcardonline.com
httx://newyearcardservice.com
httx://reportradio.com
httx://smartcardgreeting.com
httx://spacemynews.com
httx://superchristmasday.com
httx://superchristmaslights.com
httx://superobamadirect.com
httx://superobamaonline.com
httx://superyearcard.com
httx://thebaracksite.com
httx://themirabelladirect.com
httx://themirabellaguide.com
httx://themirabellahome.com
httx://topgreetingsite.com
httx://topwale.com
httx://uperobamadirect.com
httx://waledirekt.com
httx://waleonline.com
httx://waleprojekt.com
httx://wapcitynews.com
httx://whitewhitechristmas.com
httx://worldgreetingcard.com
httx://worldnewsdot.com
httx://worldnewseye.com
httx://worldtracknews.com
httx://yourchristmaslights.com
httx://yourdecember.com
httx://yourmirabelladirect.com
httx://yourregards.com
httx://youryearcard.com