Waledac worm targeting July 4 spam offensive

Discussion in 'malware problems & news' started by ronjor, Jul 2, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Story
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I happened to notice the filename of the image in the article:

    waledac-conficker.gif


    During the conficker fiasco, some researchers made a connection between Storm - Waledac - Conficker, based on the prevalence of email spam.


    REFERENCES

    New Downad/Conficker variant spreading over P2P
    http://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/
    Report: Conficker in attack mode
    http://news.zdnet.com/2100-9595_22-292858.html
    Brief Storm/Waledac Timeline and Its Relationship with Conficker
    http://www.mxlogic.com/itsecuritybl...eline-and-Its-Relationship-with-Conficker.cfm

    ----
    rich
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Good stuff Rich.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Ron. If their conclusions are correct, that might be a reason why Conficker didn't seem to do much at first -- just biding time waiting for opportunities to distribute malware.

    ----
    rich
     
  5. cp256

    cp256 Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    4
    Location:
    Where the taxes are KILLING US!
    Does anyone know where there is a list of the domains used by this worm? I'd like to blackhole DNS for them to help protect my customers in the short term.

    Thanks,

    Henry
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here are a couple of lists. You can search around for others:

    Full Waledac Domain Listing
    http://www.securityzone.org/?p=61

    Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
    http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090416

    Assuming the Conficker botnet will be involved, it won't be so easy to keep track. To wit:

    Conficker C Analysis
    http://mtc.sri.com/Conficker/addendumC/
    The Waledac trojan came with a later variant of Conficker, and it's not been established whether or not it includes C's domain generation feature.

    Nonetheless, going back to the original Storm exploits, as domains were taken down, new domains were generated daily. So, we should be prepared for similar activity.

    Also variants of the trojan payload continally changed, making detection more difficult for anti-malware products.

    As far as protecting your customers: evidently the initial attack is via email, enticing the victim to click on a link to go to the bad site.

    ----
    rich
     
  7. cp256

    cp256 Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    4
    Location:
    Where the taxes are KILLING US!
    Hey Rich, thank you very much, that's exactly what I was looking for!

    Henry
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome, and good success to you in protecting your customers!

    ----
    rich
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
Loading...
Thread Status:
Not open for further replies.