January 19, 2009

Fake US Presidential Inauguration and Obama Websites

Fake Barack Obama blogs and websites are being used to infect computers with a worm called Waledac. This worm appears to be from the same makers of the Storm worm according to several in the security community including Jose at Arbor Networks.

An example is hxxp://www.bestbaracksite.com/
(WARNING: Malicious site).

When visiting the site visitors see graphics and blog entries that look real and while they read the entries silently a drive-by install is placing malicious code on their system. All the links on the website point to a malicious EXE download as well. This site, by the way, is using "fast flux" DNS to avoid takedown and appears to be hosted on a botnet as some of the IPs appear to be home DSL/cable modem customers.

With the US presidential inauguration tomorrow I expect to continue to see a rise in this type of attack and recommend you check your web proxy logs for any domains with the following words in them:

barack
obama
presidential
inauguration

No comments: