Waledac Trojan Hosted by Fake Obama Website

“Now that Inauguration Day is upon the US, malware authors have a new spate of social engineering tricks up their sleeve.”

We've seen Barack Obama's name used by malware authors for malevolent purposes before, during the campaign and leading up to the US Presidential Elections.
Now that Inauguration Day is upon the US, malware authors have a new spate of social engineering tricks up their sleeve. They've almost perfectly mimicked the official Obama website, www.barackobama.com, and registered a bunch of domain names containing their mimicked content.
The domain names are usually made up of three words, the second of which is the name Obama. The first may be "super" or "great", the third may be "direct", "online", or "guide". Note that this is based on the samples that we have seen so far, so it's possible that the malware authors may use other word combinations in the future.
The fake website may look like this:

Fake Obama Website

All links in the website point to an executable file, which Microsoft currently detects as Trojan:Win32/Waledac.A. This trojan collects email addresses in the system and then posts its gathered information to certain websites. It may also connect to these websites to download and run other malware.
These fake websites are being spread via email, presumably spammed out, with a potentially incendiary message:

Fake Obama Email

We've actually been seeing samples of Waledac.A for about two weeks, mostly as spammed greeting cards. The domain names in the spammed email also change frequently, but were known to reference New Year and Christmas.
Once the holiday season was over, the malware authors had to find a way to sustain the spread of their malware. The next big occasion is the Inauguration, so that must have seemed like the logical social engineering technique to use.
In any case, we expect to see this spam series to last for a few days, while a lot of people will still be talking about the Inauguration. The malware authors have to change the message in their fake websites once the Inauguration pushes through, of course, but we're sure they will find something. It's up to the users to remain vigilant about what websites they're visiting and whose emails they decide to open.
- Jireh Sanico & Ina Ragragio

Comments (0)

Skip to main content