Waledac worm targeting July 4 spam offensive

ronjor · Jul 2, 2009

by Elinor Mills

Researchers analyzing the code of the worm, which has been deploying updates to previously compromised PCs, have discovered that at least 18 domain names have been registered related to fireworks and Independence Day that will be used to trick people into visiting a malicious Web site, said Pierre-Marc Bureau, a senior researcher at antivirus vendor ESET.
Click to expand...

Story

Rmus · Jul 2, 2009

I happened to notice the filename of the image in the article:

During the conficker fiasco, some researchers made a connection between Storm - Waledac - Conficker, based on the prevalence of email spam.

REFERENCES

New Downad/Conficker variant spreading over P2P
http://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?
Click to expand...

Report: Conficker in attack mode
http://news.zdnet.com/2100-9595_22-292858.html

Quoting Vincent Weafer, vice president of Symantec Security Response, Xinhua reported Conficker now installs a second virus--Waledac--that sends out e-mail spam without the computer owner's knowledge.
Click to expand...

Brief Storm/Waledac Timeline and Its Relationship with Conficker
http://www.mxlogic.com/itsecuritybl...eline-and-Its-Relationship-with-Conficker.cfm

The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet.
Click to expand...

----
rich

ronjor · Jul 2, 2009

Good stuff Rich.

Rmus · Jul 3, 2009

Thanks, Ron. If their conclusions are correct, that might be a reason why Conficker didn't seem to do much at first -- just biding time waiting for opportunities to distribute malware.

----
rich

cp256 · Jul 3, 2009

Does anyone know where there is a list of the domains used by this worm? I'd like to blackhole DNS for them to help protect my customers in the short term.

Thanks,

Henry

Rmus · Jul 3, 2009

Here are a couple of lists. You can search around for others:

Full Waledac Domain Listing
http://www.securityzone.org/?p=61

Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090416

Assuming the Conficker botnet will be involved, it won't be so easy to keep track. To wit:

Conficker C Analysis
http://mtc.sri.com/Conficker/addendumC/

C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.
Click to expand...

The Waledac trojan came with a later variant of Conficker, and it's not been established whether or not it includes C's domain generation feature.

Nonetheless, going back to the original Storm exploits, as domains were taken down, new domains were generated daily. So, we should be prepared for similar activity.

Also variants of the trojan payload continally changed, making detection more difficult for anti-malware products.

As far as protecting your customers: evidently the initial attack is via email, enticing the victim to click on a link to go to the bad site.

----
rich

cp256 · Jul 3, 2009

Hey Rich, thank you very much, that's exactly what I was looking for!

Henry

Rmus · Jul 3, 2009

You are welcome, and good success to you in protecting your customers!

----
rich

Rmus · Jul 3, 2009

The Fireworks have started!

Here is an early example:

Waledac Independence Day Theme - New Campaign In The Wild
http://securitylabs.websense.com/content/Alerts/3431.aspx

The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows.
Click to expand...

I notice that this is an almost exact copy-cat from last year. See my thread here:

https://www.wilderssecurity.com/showthread.php?t=214046

----
rich

Log in or Sign up

Waledac worm targeting July 4 spam offensive

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

cp256 Registered Member

Rmus Exploit Analyst

cp256 Registered Member

Rmus Exploit Analyst

Rmus Exploit Analyst

Log in or Sign up

Waledac worm targeting July 4 spam offensive

ronjor Global Moderator

Rmus Exploit Analyst

ronjor Global Moderator

Rmus Exploit Analyst

cp256 Registered Member

Rmus Exploit Analyst

cp256 Registered Member

Rmus Exploit Analyst

Rmus Exploit Analyst

Useful Searches