Angry in the Great White North

The spam email encouraged me to visit page.superobamaonline.com, which looks like a polished political website:

The problem is that every single link on the page, from the text to the images to the video, is really a link to download pdf.exe, a known virus:

Filename: pdf.exe

Description:
A variant of the Backdoor.Sdbot family of worms and IRC backdoor Trojans.

This Trojan makes a computer vulnerable to being taken over through IRC, which means that pdf.exe is not a useful piece of malware in of itself, but is valuable because an infected computer can be then hijacked, its content downloaded, or used for some other nefarious purpose.

Alarms ought to be going off.  This site, designed to make computers vulnerable to being taken over, is aimed at Americans.  Politically motivated Americans in particular.

Perhaps not surprisingly, the site is linked to Chinese interests:

Registrant:
  Organization   : LIFENGZHEN
  Name           : LIFENGZHEN
  Address        : HANJIELU72
  City           : hengyangshi
  Province/State : hunansheng
  Country        : china
  Postal Code    : 421038

But the links are more complex than this.  The registrar is Xin Net Technology Corporation:

   Domain Name: SUPEROBAMAONLINE.COM
   Registrar: XIN NET TECHNOLOGY CORPORATION
   Whois Server: whois.paycenter.com.cn
   Referral URL: http://www.xinnet.com
   Name Server: NS1.SUPEROBAMAONLINE.COM
   Name Server: NS2.SUPEROBAMAONLINE.COM
   Name Server: NS3.SUPEROBAMAONLINE.COM
   Name Server: NS4.SUPEROBAMAONLINE.COM
   Name Server: NS5.SUPEROBAMAONLINE.COM
   Name Server: NS6.SUPEROBAMAONLINE.COM
   Status: ok
   Updated Date: 15-jan-2009
   Creation Date: 15-jan-2009
   Expiration Date: 15-jan-2010

Check out the creation date -- positioned to take advantage of the intense focus on Barack Obama because of his inauguration this week.

But Xin Net Technology Corporation (also known as Xin Net Bei Gong Da) is just not another registrar.  It is a favourite for spammers, despite the rules put out by Xin Net:

2. Users need to strictly abide "the People's Republic of China Computer Information Network and the Internet Interim Provisions on the Management" "China's Internet Internet Management." "China's Internet domain name registration interim management approach," and other relevant laws and administrative regulations;

3. Internet users need to comply with the established regulations and international practice, to others this may not malicious, The provocative documents or junk mail. Rather, the network the right to prior notice of service to be suspended and demands an immediate correction of violations, closed or transferred website;

Xin Net seems to willfully ignore its own rules, and in the past regularly registered hundreds of spam domains a day on behalf of a handful of known spammers.  A legitimate registrar would detect the pattern and refuse the registrations.  Xin Net's behaviour earned it the ranking of "worst registrar" as recently as last June:

Brief: As a follow up to our recent rating of Xin Net Bei Gong Da Software as the worst registrar for spam-related illicit sites we are providing this more detailed accounting of their poor of compliance and the ongoing permissive operations that allow illicit domains to easily persist at Xin Net. The over 18,000 illicit domains were discovered at Xin Net in the last 12 months. These sites were advertized in 1.7 million unsolicited emails reported to us by the public. Most of these domains were improperly registered with inaccurate, false or misleading contact information...Since Xin Net was issued an Enforcement Letter and a Notice of Concern by ICANN, little has changed. While Xin Net has “suspended” many reported domains, these are quickly replaced with new ones that have the same content. As explained, many of the “suspended” domains also return later with the same owners, same content, and at the same IP address.

For a while, Xin Net was run partly out of Canada under the name of China Mobility, but that part of the business was sold to Sino-I of Hong Kong in 2004.  Sino-I has since relocated to Beijing.

Thank goodness -- Obamaspam coming from Canada would have looked really bad.

The shift to Obamaspam is interesting for several reasons.  Just this month, Xin Net was listed as 100% compliant by the Bulk Spam Reporting, having suspending nearly 30,000 fake pharmacy sites and gambling sites.

The thing about these sites is that they make money directly.  Someone gives a credit card number, and if he's lucky, he'll receive a package in the mail filled sugar pills in the mail "guaranteed" to pump up his libido by 150%.  More likely is that they'll take his money and run.

But this Obamaspam website didn't try to sell me anything.  It's purpose was to make my computer vulnerable to being taken over by...someone.

Who?

And why?

And was the selection of a Barack Obama theme an accident?  Was is purely for the amount of traffic any Obama related website is likely to get in January?

Or does a person who is interested in Barack Obama, and more specifically, who is supportive of Barack Obama, match a profile that makes him or her particularly valuable to the people behind this site?

If so, what do these people expect to find on such a person's computer?  And what is that information going to be used for?

This is a spam site, to be sure, but it's the sort of spam site that should be raising red flags.

Update: Did some more research, and it looks like a cruder version of this sort of site was designed to make computers vulnerable to people looking for banking and PayPal information, and that this is part of an expected surge in phishing sites.