Published: November 07, 2008 11:11 am         

Bank information of thousands sent to Russian hackers

A University of Alabama (UAB) blog, CyberCrime & Doing Time, reports that a new Computer Virus which masquerades as Obama Acceptance Speech Video is making the rounds.

This virus downloads passwords to bank accounts and credit cards and any other hidden information stored on your computer.

The site reads, “Less than twelve hours after President-Elect Obama’s historic acceptance speech, computer criminals have already crafted a malware attack based on the speech. The UAB Spam Data Mine has observed more than 300 spam messages which invite email readers to view the speech with a spam message to entice readers into going to the site to listen to Obama’s acceptance speech.

The originator of the e-mail appears to be a major news outlet such as news@cnn.com, news@usatoday.com or news@bbc.com among the hundreds of pseudo sites the e-mail uses.

There are, according to the UAB blog, only five different websites which are used to host the fake website.

The spam message sends users to the page “president.htm” which claims that you need a new Adobe_flash9.exe player in order to view the video.

The virus has been reported to VirusTotal.com, where it was first reported at about 5:24 p.m. Nov. 5.

Currently 14 of 36 anti-virus products represented at VirusTotal have detection for this version of the malware, which is a keylogger in a family sometimes called “SnifULA.”

Student Malware Analysts in the UAB Computer Forensics department have analyzed the malware and indicate that the stolen login credentials are being sent to the Ukraine. The virus steals userids and passwords, and posts them to this IP address:

The Adobe_flash9.exe of course is not the Adobe file. It is a malware which downloads a rootkit into the user’s computer and then sends vital data to multiple command and control servers.

It was also noted that the malware:

• Contains rootkit technology to conceal itself

• Is designed to steal information from an infected computer

• Also has general “backdoor” functionality — which means the hackers may get back into your computer at any time without your knowledge.

• Spies on user’s keyboard and mouse inputs and can take screenshots and e-mail them to the originator

• Looks for passwords

It submits the information it needs to a Web server located in Kiev, Ukraine.

What this means is that the data goes into cyberspace and the hackers can remotely control your computer. This is particularly critical if e-banking transactions have been carried out, since this data is now available to the hacker. Attackers used the names of well known publications in the email subject line to encourage users to click on the links. They used several variations of malicious lures mainly containing videos.

As always, we recommend that you do not follow links received in email, but rather type the name of a reputable news website in your browser if you would like to see the news.

Posted by UAB’s Director of Research in Computer Forensics at 9:41 AM