Network News

X My Profile
View More Activity

Fake Prez. Campaign Video Spreads Malware

Spammers are taking advantage of public awareness about the U.S. presidential race to trick people into installing malicious software. A recent blast of spam purports to contain links to a video of Sen. Hillary Clinton (D-N.Y.) on the campaign trail, links that in fact lead to software that tries to turn the viewer's PC into a spam-spewing zombie.

The spam campaign, detailed in a brief writeup by researchers at Symantec Corp., encourages recipients to click on a link to download a video interview with Clinton. The link actually fetches a Trojan downloader, which in turn tries to pull down another nasty file that installs a rootkit -- a package of tools designed to hide malicious files on the system and prevent their removal. The malicious program also contacts several different Internet servers for instructions to enlist the victim's PC's help in future spam campaigns. Symantec detects this threat as Trojan.Srizbi.

Zulfikar Ramzam, a senior principal researcher at Symantec, said when hovered over with a mouse arrow, the link to the fake Clinton video looks as though it will take the visitor to a Google search result. In fact, Ramzam said, the link uses special Google search terms to redirect anyone who clicks through to the attacker's site, which tries to push down the Trojan.

Back in 2007, when security experts were queuing up to predict security threats that would emerge in 2008, many -- including Symantec -- warned that we'd see scammers using the presidential campaigns as bait. But this isn't exactly the first time this election cycle that a presidential candidate's campaign has been connected with malicious software attacks. In October, millions of spam e-mails were blasted out promoting the candidacy of Texas GOP hopeful Rep. Ron Paul. Researchers at Atlanta based SecureWorks later tied that spam run back to a network of PCs that had been infected with the very same Trojan horse program used in this latest attack -- our friend Mr. Srizbi.

Coincidence? You decide. But at least the bad guys aren't singling out one particular political party over another. So far, we haven't seen malware attacks apparently designed to disrupt a U.S. election, but the potential for such activity certainly exists (political phishing, anyone?), particularly if candidates aren't taking precautions to ensure that their online fundraising systems can't easily be abused by credit card thieves.

By Brian Krebs  |  February 14, 2008; 4:50 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Beware Bogus E-Valentines
Next: Research May Hasten Death of Mobile Privacy Standard

Comments

RE: SnoopFree

Hi Brian:

last week in Security Fix Live Friday Feb 8, 2008

http://www.washingtonpost.com/wp-dyn/content/discussion/2008/02/06/DI2008020601716.html

you said:

QUOTE
I would use this as an opportunity to do things right. If you can't be bothered to set up a limited user account on your system, try the drop my rights approach with the browsers you use. In addition, there are free anti-keylogger programs available, such as SnoopFree and BoClean that are designed specifically to spot malware that tries to hook your keyboard.
/QUOTE


After I downloaded and installed SnoopFree
version 1.0.7 according to your recommendation
and from your link in WP
downloaded from www.snoopfree.com and now
AVG has detected two Trojan Horse downloaders
Zlob.
The service SnoopFreeSvc cannot be stopped nor disabled by administrators, and there is no way to uninstall, although you can run SnoopFree.exe /U
I think it reinstalls itself after rebooting.

My machine has been connecting to
blk-7-215-184.eastlink.ca port 44687 from my
localhost port 1056.

I have the first 1055 ports stealth according to grc's Shields Up!.

I have contacted eastlink.ca to report this but so far no response from them ;
what else ?

Posted by: DC | February 15, 2008 10:54 AM | Report abuse

@DC -- It is unlikely that your installation of SnoopFree has anything to do with the fact that your AV has detected Zlob. Most likely, you recently downloaded some video "codec" that some site said you needed in order to view....er....video content (cough, cough).

At any rate, your best bet with Zlob is to download and use a removal tool called Smitfraud. Detailed instructions on where to get it, how to use it are at the link below. If you decide to go this route, make sure you read through the instructions at least once (better yet, print them out). Then follow them to a T. Best of luck.

http://forums.majorgeeks.com/showthread.php?t=74265

Posted by: Bk | February 15, 2008 1:41 PM | Report abuse

Thanks
anyway according to AVG, Zlob was found in the file setup.exe downloaded from http://www.snoopfree.com/

Posted by: DC | February 15, 2008 1:45 PM | Report abuse

Thanks!
Anyway according to AVG, Zlob was found in the file setup.exe downloaded from http://www.snoopfree.com/

AFAIK I haven't downloaded any videos, no codecs, nor anything of the sort
Thank you

Posted by: DC | February 15, 2008 1:46 PM | Report abuse

@DC -- Can you please email me a copy of the installer you downloaded from snoopfree? If so, please zip it and send it to brian dot krebs at washingtonpost dot com

thanks.

Posted by: Bk | February 15, 2008 1:52 PM | Report abuse

Brian,
sure, I will, as soon as I get back to that infected machine and figure out a way to copy that file to an otherwise unwritable media.
Thanks.

Posted by: DC | February 15, 2008 2:08 PM | Report abuse

Just checked setup.exe at virustotal, it comes back clean

Posted by: JM | February 15, 2008 3:04 PM | Report abuse

Brian, I love your discretion (er...video content...cough, cough), even if it was misdirected. LOL

Posted by: Pete from Arlington | February 20, 2008 12:43 PM | Report abuse

Just finished reformatiing my virus infected laptop...almost frighten to turn it on anymore.

www.zpryme.com

Posted by: N.Walter | February 21, 2008 12:49 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company