Spammers Claim Barack Obama Calls It Quits

As the inaugural ceremony approaches, the Obama-related spam increases. The ever-original malware distributors are sending e-mails claiming that Barack Obama doesn't want to be President anymore, Sophos warns.

As we previously reported, Barack Obama has returned to the attention of the spammers since December, with the security researchers estimating that January will bring even more junk mail featuring the President-elect of the United States. The gangs pushing malware through spam don't want to miss the chance of capitalizing on the upcoming inaugural ceremony, so they've come up with all sorts of bombastic scenarios.

E-mails with messages such as “Barack Obama doesn’t want to be next president,” “Barack Obama abandoned us,” and “The USA left without president” have been circulating in the last few days, security researchers from anti-virus vendor Sophos announce. The links contained in these e-mail point to a Web page masquerading the official Barack Obama blog.

The rogue website attempts to download a malicious executable file, which is served under different names, such as speech.exe, blog.exe, readme.exe, or barackblog.exe. “The executable is another in the Waled family of malware, detected as W32/Waled-Gen or Mal/WaledPak-A,” Richard Cohen, malware analyst at SophosLabs Canada, notes.

In addition, the page also tries to load a JavaScript file, called google-analysis.js, which has the purpose of automatically downloading the executable file, the analyst informs.

The worms in the Waled family have the ability to communicate over HTTP in order to receive instructions, and they propagate by sending themselves via e-mail, by using their own SMTP engine.

By analyzing the e-mail template of these latest spam messages, Richard Cohen concludes that it is the work of the gang behind Storm. “The style and content of both the spam and the web pages indicate that the team behind Storm/Dorf is back again,” the researcher writes.

It is also notable that the cyber-criminals have put significant effort into making the fake Web site look as legit as possible. Except for some hard-to-notice color differences and some missing text formatting, the pages are quite similar. “They seem to have taken the level of social engineering up a notch,” Mr. Cohen concludes.

Another interesting aspect of the fake page is that it seems to communicate with the real blog, from where it imports the legit news. The researcher speculates that an RSS feed parsing script could be involved. The fake news item that falsely claims that Barack Obama no longer desires to be President is placed first on the list, above the legit ones.