The Latest in IT Security

Political rhetoric ramps up and so does President Obama related spam

17
Apr
2012

by Dave Michmerhuizen & Luis Chapetti – Security Researchers

If you’re a malware spammer, the number one challenge you face is how to get people to open, read and follow links in your message.

To accomplish this, one of the driving emotions that spammers appeal to is curiosity. For years spammers have sent emails offering glimpses of gory accidents, scantily clad women and outrageous celebrity behavior – anything that might get you to drop your guard, suspend your critical thinking and click through some dodgy link in the hope of seeing some juicy nugget.

An excellent example of that fell into the Barracuda Labs spam traps recently. It claimed that President Obama is a homosexual and offered an incriminating picture that would prove it. Who wouldn’t be curious about that?

Obama is gay email

We actually hope most people wouldn’t be. The email is so obviously bogus you might think no one would click on the link. Well, in the interest of research, we did, and in our investigation we found that quite a few other people did as well.

Clicking on the link in the email and running the download is pretty anticlimactic. The download attempts to divert your attention by opening cute picture of a koala bear.

distracting picture

(click for larger image)

Behind the scenes it silently installs a copy of a commercially available keylogger known as Perfect Keylogger. This program monitors every program you run and every key stroke you enter. and stores them in a local file, like this example

Keystroke log file

(click for larger image)

Perfect Keylogger also captures screenshots periodically and stores them off to disk. Every so often it gathers together the captured data and sends them to a remote server using the File Transfer Protocol (FTP).

Perfect Keylogger FTP traffic

(click for larger image)

FTP sends traffic in the clear, so it was possible for us to get a listing of the server that receives the keylogger data.

Keylogger FTP site

(click for larger image)

Only a few days after the spam was first seen there are a large number of folders on the keylogger website, each representing a person who clicked on the initial link and ran the downloaded program. It appears that outrageous headlines spurs curiosity which is effective in getting people to click on links and install malware.

The lesson here is not to let that curiosity get the better of you, even if the email and link appear to come from some trusted source. If the content is designed to intrigue or titillate then there’s a good chance that the end result will be unpleasant.

Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from these emails. Barracuda Web Filters and the Barracuda Web Security Flex service stop the download of this threat.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments