Election Malware: Round Three
We made contact over the weekend with a real live human at Bizcn.com, who terminated all the domains listed above. Unfortunately, the spammer created new ones and this morning (10NOV08) at 7:52 AM we began to see his latest round of spam. In the first three hours of this spam campaign, the spam is evenly split between three domains created last night:
All three domains use the nameserver ns1.vistausan.com, which was also freshly registered last night at bizcn.com.
Computers which are currently hosting proxy redirectors for the domains above also provided redirection services for some of the "Round two" domain names. Some examples currently hosting would be:
But these are "fluxing" - they will change over the course of the hours as we wait for bizcn.com to shut down these newest domains and their nameserver domain. The shutdown request, in Chinese and English, was sent just now (10:40 AM Central Time)
Barack Sex Video malware
The only other piece of malware we are seeing delivered via election headlines is a very well detected trojan claiming to be a Barack Obama sex video. The great majority of products detect this malware at VirusTotal.com.
The porn video attachment name we are seeing most often is "zeland-01.zip".
Michelle Obama's Name used in Pill Spam
Why anyone would think that email recipients would buy Viagra after reading headlines like these is beyond my comprehension. Two heavily spammed subjects today used to sell Canadian Pharmacy pills are tied to Michelle Obama's name.
All of these 20 domain names were seen advertised in spam using the subject "Bush kills Michelle Obama":
These 26 domains names were all used in spam with the subject line "Michelle Obama nude":
Each of those domain names actually forwards to another domain name when visited, which sells Canadian Pharmacy pills. Spammers use this technique to remove their spam from website orders from the domains they control, because some affiliate programs actually do refuse payment from those who can be shown to be spamming. By using this forwarding technique, spammers can claim their domains were NOT used in spam messages.