Waledac worm targeting July 4 spam offensive

ronjor · #1 July 2nd, 2009, 03:41 PM

Quote:

by Elinor Mills

Researchers analyzing the code of the worm, which has been deploying updates to previously compromised PCs, have discovered that at least 18 domain names have been registered related to fireworks and Independence Day that will be used to trick people into visiting a malicious Web site, said Pierre-Marc Bureau, a senior researcher at antivirus vendor ESET.

Story

Rmus · #2 July 2nd, 2009, 05:15 PM

I happened to notice the filename of the image in the article:

Name: waledac-conficker.gif
Views: 142
Size: 58.6 KB

During the conficker fiasco, some researchers made a connection between Storm - Waledac - Conficker, based on the prevalence of email spam.

REFERENCES

New Downad/Conficker variant spreading over P2P
http://countermeasures.trendmicro.eu...ding-over-p2p/

Quote:

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Report: Conficker in attack mode
http://news.zdnet.com/2100-9595_22-292858.html

Quote:

Quoting Vincent Weafer, vice president of Symantec Security Response, Xinhua reported Conficker now installs a second virus--Waledac--that sends out e-mail spam without the computer owner's knowledge.

Brief Storm/Waledac Timeline and Its Relationship with Conficker
http://www.mxlogic.com/itsecurityblo...-Conficker.cfm

Quote:

The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet.

----
rich

ronjor · #3 July 2nd, 2009, 08:36 PM

Good stuff Rich.

Rmus · #4 July 3rd, 2009, 01:47 AM

Thanks, Ron. If their conclusions are correct, that might be a reason why Conficker didn't seem to do much at first -- just biding time waiting for opportunities to distribute malware.

----
rich

cp256 · #5 July 3rd, 2009, 12:32 PM

Does anyone know where there is a list of the domains used by this worm? I'd like to blackhole DNS for them to help protect my customers in the short term.

Thanks,

Henry

Rmus · #6 July 3rd, 2009, 01:23 PM

Here are a couple of lists. You can search around for others:

Full Waledac Domain Listing
http://www.securityzone.org/?p=61

Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
http://www.shadowserver.org/wiki/pmw...endar/20090416

Assuming the Conficker botnet will be involved, it won't be so easy to keep track. To wit:

Conficker C Analysis
http://mtc.sri.com/Conficker/addendumC/

Quote:

C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

The Waledac trojan came with a later variant of Conficker, and it's not been established whether or not it includes C's domain generation feature.

Nonetheless, going back to the original Storm exploits, as domains were taken down, new domains were generated daily. So, we should be prepared for similar activity.

Also variants of the trojan payload continally changed, making detection more difficult for anti-malware products.

As far as protecting your customers: evidently the initial attack is via email, enticing the victim to click on a link to go to the bad site.

----
rich

cp256 · #7 July 3rd, 2009, 01:28 PM

Hey Rich, thank you very much, that's exactly what I was looking for!

Henry

Rmus · #8 July 3rd, 2009, 01:31 PM

You are welcome, and good success to you in protecting your customers!

----
rich

Rmus · #9 July 3rd, 2009, 11:44 PM

Here is an early example:

Waledac Independence Day Theme - New Campaign In The Wild
http://securitylabs.websense.com/con...erts/3431.aspx

Quote:

The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows.

I notice that this is an almost exact copy-cat from last year. See my thread here:

http://www.wilderssecurity.com/showthread.php?t=214046

----
rich

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search