In one of their more complicated themes, the Waledac team is following up on a previous blast, spamming out links to a few new malicious websites, each one using a strange “Valentine Devkit” theme. Clicking on an image on one of these pages results in a download of various names: loveprogramm.exe, ecard.exe, postcard.exe, lovekit.exe, mylove.exe, runme.exe, loveexe.exe… The files themselves are effectively obfuscated, with very low (non-existent) AV scanner detection at the current time. The site suggests that a “nicely designed Valentines Card for your sweetheart” can be created with their “Valentine Devkit”.
The web pages seem unusual for the group in one respect, they do not provide the “google-analytics.js” javascript link that was present on previous campaigns. That means the team is not delivering the commodity client side exploits (drive-by exploits) to distribute their malware just yet. Instead, they are relying on the gullibility of users to download and install the malware files on their own. ThreatFire currently is preventing the malware in our community in low volume.
There seem to be some legitimate development kits of this sort: on another web site, instructions that may be getting confused and mimicked with the Waledac gang’s devkit explain how to use another “devkit” to create a Flash ecard in time for Valentine’s Day. Other searches for Valentine’s Day Dev Kits produce kits to be run on other operating systems.
We’ll share some additional research notes on the malware’s functionality and its obfuscation, be sure to check in later.
