Malware Campaign Impersonates Barack Obama's Website

Sean-Paul Correll — Sat, 17 Jan 2009 22:32:00 GMT

Today we discovered a botnet controlled, fast-flux operated malware campaign impersonating the United States President-elect Barack Obama’s website. The fake website looks just like the real thing and attempts to bait viewers into clicking a story entitled, “Barack Obama has refused to be a president”. When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer.

Excerpt: Barack Obama's inauguration that was planned on 20th January 2009 is under the threat of failure. On the Eve of Inauguration Day President-elect Barack Obama made statement. He declared that he is definitely NOT ready for this position. Analysts say that Barack Obama has refused to be next president because he recognized inconsistency of his plan of stimulating USA economy

The attack appears to have originated from China as the domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY CORPORATION. Xinnet has a history of abuse problems and we have contacted them to remove the domain names.

The file names of the malware are:

doc.exe
statement.exe
obamaspeech.exe
blog.exe
barack.exe
usa.exe
baracknews.exe
pdf.exe
news.exe
obamasblog.exe
barakblog.exe
statement.exe
president.exe
obamanews.exe

Visual Representation of the domains:

Fast-Flux Representation (1 of 40 domains):

Updated list to 75 domain names as of 1/20/09

Note: These domains are included for informational purposes only. Please do not attempt to visit the sites.

httx://bestbarack.com
httx://bestbaracksite.com
httx://bestchristmascard.com
httx://bestmirabella.com
httx://bestobamadirect.com
httx://bestyearcard.com
httx://blackchristmascard.com
httx://cardnewyear.com
httx://cheapdecember.com
httx://christmaslightsnow.com
httx://decemberchristmas.com
httx://directchristmasgift.com
httx://eternalgreetingcard.com
httx://expowale.com
httx://freechristmassite.com
httx://freechristmasworld.com
httx://freedecember.com
httx://funnychristmasguide.com
httx://goodnewsdigital.com
httx://goodnewsreview.com
httx://greatbarackguide.com
httx://greatmirabellasite.com
httx://greatobamaguide.com
httx://greatobamaonline.com
httx://greetingcardcalendar.com
httx://greetingcardgarb.com
httx://greetingguide.com
httx://greetingsupersite.com
httx://holidayxmas.com
httx://itsfatherchristmas.com
httx://jobarack.com
httx://justchristmasgift.com
httx://lifegreetingcard.com
httx://linkworldnews.com
httx://livechristmascard.com
httx://livechristmasgift.com
httx://mirabellaclub.com
httx://mirabellamotors.com
httx://mirabellanews.com
httx://mirabellaonline.com
httx://newlifeyearsite.com
httx://newmediayearguide.com
httx://newyearcardcompany.com
httx://newyearcardfree.com
httx://newyearcardonline.com
httx://newyearcardservice.com
httx://reportradio.com
httx://smartcardgreeting.com
httx://spacemynews.com
httx://superchristmasday.com
httx://superchristmaslights.com
httx://superobamadirect.com
httx://superobamaonline.com
httx://superyearcard.com
httx://thebaracksite.com
httx://themirabelladirect.com
httx://themirabellaguide.com
httx://themirabellahome.com
httx://topgreetingsite.com
httx://topwale.com
httx://uperobamadirect.com
httx://waledirekt.com
httx://waleonline.com
httx://waleprojekt.com
httx://wapcitynews.com
httx://whitewhitechristmas.com
httx://worldgreetingcard.com
httx://worldnewsdot.com
httx://worldnewseye.com
httx://worldtracknews.com
httx://yourchristmaslights.com
httx://yourdecember.com
httx://yourmirabelladirect.com
httx://yourregards.com
httx://youryearcard.com

PandaLabs : Botnet

Malware Campaign Impersonates Barack Obama's Website