Cyber criminals are drawing advantage from the world's focus on Barack Obama after winning the race for the White House.

Users worldwide were overwhelmed by a flood of spam emails right after results of the presidential race were announced. The spam invites the users to watch Barack Obama's victory speech. Clicking on the link will take the user to a webpage which will require him to install the latest version of Adobe Flash player in order to be able to play the video. Clicking the link to the supposedly update Adobe file, will download a Trojan called 'adobe_flash.exe', which in its turn will install an information stealing Trojan on the user’s system.

This Trojan installs a RootKit, a program that is specifically designed to conceal the Trojan’s presence on the infected system. The Trojan will monitor the victim’s system for passwords of banking websites and will then send gathered information back to server located in the Ukraine.

The following is an example of the spammed email:

eSafe proactively detects and blocks the spammed Trojan as a suspicious file. Only 14 out of the 36 major antivirus products detected the Trojan. The following is a link to the VirusTotal analysis for the Trojan’s file 'adobe_flash9.exe':

http://www.virustotal.com/analisis/58fd7100e69f9c940d6904981834f1fd

AIRC will provide a signature that would name this threat specifically in today’s update.

Following the recent news on how an anonymous group has managed to take over Sarah Palin's Yahoo! email account; we have noticed some interesting happenings. As wikileaks which was the original posting location of the images taken from Palin's yahoo inbox was unavailable for some time, copies of the wikileaks post started to appear on other sites.

Our assumptions are that as users  found  the original site unavailable, they started resorting to deepening their searches to try and find other copies of the original images. It seems that e-Criminals are just in-tune with the latest news and browsing habits, and have managed to publish (or alter an already published) zip archive of the original wikileaks post with a small alteration that included a malicious script appended to the html content. Users that are eager to take a look at the leaked images finally found themselves looking at an archive copy of the original wikileaks page, but without having any clue about the malicious script running on their PC at the same time.

The script used is the usual obfuscated JavaScript that is designed to evade detection, which exploits a couple of vulnerabilities in QuickTime and Microsoft's WMV components. The exploits are designed such that once successful, a Trojan is installed on the local machine with the pretence of an Anti-Virus application. The specific Trojan that is being used in this incident is similar to other related attacks covered in our latest security research findings that traced sites connected to recent news as well.

Attackers are at a position where they can choose the kinds of malicious software running on victims machines, as Malweb is allowing them to run any kind of code on them.

In conclusion - although it may be hard to stop on your tracks when the original site hosting breaking news is down, it seems like a wise decision to try and really look into alternate copies of the evidence that are being posted on other locations. Some may be legit and just have carbon copies of the content, some may have a slight addition to the news in order to serve less legitimate purposes.

Update: Further information on the technique itself used to obtain access to Palin's account is covered here.

In a somewhat below-the-radar report, the anti-phishing working group (APWG) Q1 report is for the first time in its report showing a decrease in the number of phishing reports towards the end of the quarter.

In a startling (although expected) contrast – reports on crimeware, malware, Trojans and other malicious code (all delivered by Malweb!) is on the rise as the attack vector that uses Malweb is proving to be the most efficient ROI-wise.

Our view on this – obvious!. Phishing is a one-off that targets a single institution. It may be efficient for a short time, as these sites are being detected and brought down rather quickly. Malweb on the other hand is a long term investment. It brings in the ability to install more persistent rootkit/Trojan on the victim’s system, which would provide a more configurable platform for financial fraud than a phishing scam would.

The report is available at http://apwg.org/reports/apwg_report_Q1_2008.pdf.

Two weeks after its first appearance, a new variant of the recent Facebook worm is spreading again. The worm propagates by sending out links of alleged video clips on what looks like a YouTube page to all the friends in the victim’s facebook account.  Following the spammed link will end up infecting your system with the worm.

The fake YouTube page of the video is designed in a way that makes it look as if it was uploaded by the person who sent the message.

Once this worm is run, it contacts a server in order to receive the content of the messages to be sent. The server supplies the worm with the subject of the spammed message, the body of the message, and links with obfuscated URLs pointing to the fake YouTube website.

The sent messages attemp to entice users into clicking on the spammed link using sentences such as:
• “Your ass looks not bad in this video”
• “Who and when made this video of you?!!!”
• “Nudity makes you beautiful. Who made this video?You look disgusting this video!”

The link leads to a fake YouTube page which then requires an update for the user’s Flash player in order to watch the video. Clicking on the button will end up downloading an executable that if executed, will infect  the victim’s system with the worm. According to VirusTotal, only 11 out of 36 antivirus products detect this variant of the worm.

The following are the symptoms of infection:
1. The worm copies itself as: c:\windows\fbtre9.exe
2. It also creates the following file: c:\windows\fmark2.dat
3. It creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"sysftray2" = "c:\windows\fbtre9.exe"
4. This worm also deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

Presumably, between 900 and 1,800 Facebook users have been infected by a new worm spreading since Wednesday through Facebook. This nasty worm aims to install malware with keylogger payload on victims’ PC’s.

Once this worm is run, it spreads by creating and sending spam messages to the infected users' friends via the Facebook website. The sent messages include titles such as:

The spam messages include a link to a random URL. The URL in fact points to a fake YouTube web page that shows a video player along with what looks like a standard browser message to update your Flash in order to watch the clip. Clicking on the button launches the worm installation, which, however, is proactively detected and blocked by eSafe.