Over the past couple of months, the Waledac spam/botnet effort seemed to be dwindling. A large software company attempted to take credit for cleaning up the “ecosystem” of Waledac with their cleanup tool release.
In the meantime, Waledac’s presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.
So, it is somewhat surprising that the botnet group just cannot pass up another holiday, blasting out attention-attracting mail and flashy websites. Symantec reported on the spam messages sent out to entice users to visit malicious Waledac web sites, download and install the bot. In addition to the spam, here is the grammatically incorrect Waledac text from a screenshot of the YouTube spoofed sites set up by the distributors to fool users into running the downloaded malware:
“Colorful Independence Day events took place throughout the country
This year July 4th firework’s shows were surprisingly amazing. The largest firework happend this Saturday. Unprecedented sum of money was spent on this fabulous show even despite crisis. The American Pyrotechnics Association has named South Shore’s Fourth of July fireworks show as the best pyrotechnic displays in the nation. If you want to see this fantastic show just click on the video below and press “Run”.”
When a user clicks on the phony video frame, the malicious Waledac executables with names like “video.exe”, “movie.exe”, “run.exe”, “setup.exe” and others are served up.
The victim must then run the executables, no client side exploits are being delivered on multiple observed Waledac sites. Currently, fast-flux domains to avoid for this Waledac run include (but are not limited to):
4thfirework. com
holifireworks. com
video4thjuly. com
holidayfirework. com
moviefireworks. com
fireworksnetwork. com
movies4thjuly. com
happyindependence. com
freeindependence. com
fireworkspoint. com
movie4thjuly. com
fireworksholiday. com
moviesfireworks. com
Instead of registering these domains through Xin Net Technologies, this time around they were registered through China Springboard, Inc. It is quite likely that this provider will be one to watch for the next few holidays.
The bot itself continues to maintain a list of peer nodes for its P2P over HTTP technology in clean XML formatted data and is packed with techniques consistent with those used prior to this release — not much has changed here.
Happy Fourth of July to our American readers and safe browsing!
