Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
The spam subject lines include:
A new president, a new congress ...
Barack Obama wins
Can Obama win popular vote but lose election?
Did Obama Win Yet?
Election 2008: Time lapse of U.S. counties
Election Center 2008 - Election Results
Election Night Results
Fear of a Black President
Obama win an Electoral College majority
Obama win Defined by Race
Obama win preferred in world poll
Obama win sets stage for showdown
Obama Wouldnt Be First Black President
Obama's Win Reshapes the Race
Priorities for the New President
Priorities for the New President - TIME
The new President's cabinet?
USA Election 2008 Results
Will American Voters Elect a Black President
World Welcomes Obama's Win
The Sender of the email pretends to be one of:
using sender names such as:
2008 president center
Election Results center
President election results
There are five different websites which are used to host the fake website, each of which looks exactly like this:
The domain names used in this attack are:
bfiinwach.com - registered November 4th, BizCN.com
gerimumsoe.com - registered November 4th, BizCN.com
lopbiuemis.com - registered November 4th, BizCN.com
vcoenutrmsi.com - registered November 4th, BizCN.com
wconlinenrue.com - registered November 4th, BizCN.com
(the domain spritsonline.net is also owned by this criminal and is used to host the NameServer for the other five domains.)
The spam message sends users to the page "president.htm" which claims that you need a new Adobe_flash9.exe player in order to view the video.
The virus has been reported to VirusTotal.com, where it was first reported at:
11.05.2008 17:24:35 (CET)
Currently 14 of 36 anti-virus products represented at VirusTotal have detection for this version of the malware, which is a keylogger in a family sometimes called "SnifULA".
The virus file is 31232 bytes in size, and has the MD5 value: 47c86509a78dc1edb42f2964bea86306
This is the same keylogger family which has been behind all of the Digital Certificate bank malware that we have reported to you on so many occasions previously, including yesterday's story on the malware pretending to be a merger letter regarding Wachovia and Wells Fargo.
As evidence of that, we offer the fact that the five domains above are all being hosted on a fast flux network, and that many of the compromised home computers in that network have also hosted the domains for yesterday's Wachovia/WellsFargo malware.
Student Malware Analysts in the UAB Computer Forensics department have analyzed the malware and indicate that the stolen login credentials are being sent to the Ukraine. The virus steals userids and passwords, and posts them to this IP address:
IP Location: Ukraine Ukraine Pool For Co-location Customers
IP Address: 22.214.171.124
Blacklist Status: Clear
inetnum: 126.96.36.199 - 188.8.131.52
descr: pool for co-location customers
status: ASSIGNED PI
source: RIPE # Filtered
person: Mark Liberman
address: Kiev, Ukraine
source: RIPE # Filtered
Our friend Dan Clemens put one of those Chinese-registered domain names in a Fast Flux Tracker that he runs over at Packet Ninjas. During a one hour sample, the domain shifted between these IP addresses:
184.108.40.206 - Germany (alicedsl.de)
220.127.116.11 - Slovenia
18.104.22.168 - Italy
22.214.171.124 - Bulgaria
126.96.36.199 - Germany (alicedsl.de)
188.8.131.52 - Taiwan
184.108.40.206 - Romania (rdsnet.ro)
220.127.116.11 - Poland (tpnet.pl)
18.104.22.168 - Germany (alicedsl.de)
22.214.171.124 - Czech Republic (iol.cz)
126.96.36.199 - Poland (tpnet.pl)
188.8.131.52 - Poland (chello.pl)
184.108.40.206 - Romania (rdsnet.ro)
220.127.116.11 - UK (blueyonder.co.uk)
As always, we recommend that you do not follow links received in email, but rather type the name of a reputable news website in your browser if you would like to see the news.