Election Malware and Obama Pill Ads?

Just a quick post to update the situation we described in our previous posts that we are now thinking of as Election Malware Round One and Election Malware Round Two. Round One was the Obama Acceptance Speech video and Round Two was the McCain video. Technically, I guess that means we are currently looking at Round Two B, since the webpage hasn't changed - we just have a fresh batch of domain names.

Election Malware: Round Three

We made contact over the weekend with a real live human at Bizcn.com, who terminated all the domains listed above. Unfortunately, the spammer created new ones and this morning (10NOV08) at 7:52 AM we began to see his latest round of spam. In the first three hours of this spam campaign, the spam is evenly split between three domains created last night:

- miteodemo.com
- oirerbio.com
- demovideons.com

All three domains use the nameserver ns1.vistausan.com, which was also freshly registered last night at bizcn.com.

Computers which are currently hosting proxy redirectors for the domains above also provided redirection services for some of the "Round two" domain names. Some examples currently hosting would be:

118.219.111.107
190.47.161.2
221.184.68.214
89.36.135.102
91.90.229.209

But these are "fluxing" - they will change over the course of the hours as we wait for bizcn.com to shut down these newest domains and their nameserver domain. The shutdown request, in Chinese and English, was sent just now (10:40 AM Central Time)

Barack Sex Video malware

The only other piece of malware we are seeing delivered via election headlines is a very well detected trojan claiming to be a Barack Obama sex video. The great majority of products detect this malware at VirusTotal.com.

The porn video attachment name we are seeing most often is "zeland-01.zip".

Michelle Obama's Name used in Pill Spam

Why anyone would think that email recipients would buy Viagra after reading headlines like these is beyond my comprehension. Two heavily spammed subjects today used to sell Canadian Pharmacy pills are tied to Michelle Obama's name.

All of these 20 domain names were seen advertised in spam using the subject "Bush kills Michelle Obama":

bxoaxcs.cn
cpknetj.cn
cvmovzf.cn
fihithm.cn
hddbzqq.cn
imvbokv.cn
ixwewyi.cn
kycsgsf.cn
lrlbbgf.cn
pagegim.cn
ppnbokc.cn
rornzxl.cn
rzbopdh.cn
rzrsaak.cn
szosojb.cn
teqixyb.cn
ticewyt.cn
umcaxtx.cn
wjqsclb.cn
wplbhdi.cn

These 26 domains names were all used in spam with the subject line "Michelle Obama nude":

aojeyer.cn
cnrogvy.cn
dlyumlv.cn
dvrujfi.cn
fqosaeq.cn
gohbrtf.cn
iemokpg.cn
ihyefos.cn
ixwewyi.cn
kuxulne.cn
kxhoyed.cn
kzinwkm.cn
mmaagwd.cn
oaleqte.cn
ocbibxf.cn
rnjonlg.cn
rzrsaak.cn
sujidbk.cn
syootqj.cn
tomnhac.cn
uqpnjrn.cn
uwkajlr.cn
wjqsclb.cn
xyynwye.cn
zgmnvfe.cn
zyuunvw.cn

Each of those domain names actually forwards to another domain name when visited, which sells Canadian Pharmacy pills. Spammers use this technique to remove their spam from website orders from the domains they control, because some affiliate programs actually do refuse payment from those who can be shown to be spamming. By using this forwarding technique, spammers can claim their domains were NOT used in spam messages.