Archive for the ‘Waledac’ Category

« Older Entries

Waledac birdie_a.exe, birdie_b.exe, corvus_b.exe, william_a.exe Mixed in with FakeAv Download Scheme

Monday, August 24th, 2009

We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm — the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality. Along with the FakeAv downloads coming from these servers, these executables may be a variant on the spambot. We’ll update this post with more information as we more accurately identify the malware.

Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:

AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.

Posted in Undetected malware, Waledac, Worm | No Comments »

Waledac Fourth of July Run

Saturday, July 4th, 2009

Over the past couple of months, the Waledac spam/botnet effort seemed to be dwindling. A large software company attempted to take credit for cleaning up the “ecosystem” of Waledac with their cleanup tool release.

In the meantime, Waledac’s presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.

So, it is somewhat surprising that the botnet group just cannot pass up another holiday, blasting out attention-attracting mail and flashy websites. Symantec reported on the spam messages sent out to entice users to visit malicious Waledac web sites, download and install the bot. In addition to the spam, here is the grammatically incorrect Waledac text from a screenshot of the YouTube spoofed sites set up by the distributors to fool users into running the downloaded malware:

“Colorful Independence Day events took place throughout the country

This year July 4th firework’s shows were surprisingly amazing. The largest firework happend this Saturday. Unprecedented sum of money was spent on this fabulous show even despite crisis. The American Pyrotechnics Association has named South Shore’s Fourth of July fireworks show as the best pyrotechnic displays in the nation. If you want to see this fantastic show just click on the video below and press “Run”.”

When a user clicks on the phony video frame, the malicious Waledac executables with names like “video.exe”, “movie.exe”, “run.exe”, “setup.exe” and others are served up.
The victim must then run the executables, no client side exploits are being delivered on multiple observed Waledac sites. Currently, fast-flux domains to avoid for this Waledac run include (but are not limited to):
4thfirework. com
holifireworks. com
video4thjuly. com
holidayfirework. com
moviefireworks. com
fireworksnetwork. com
movies4thjuly. com
happyindependence. com
freeindependence. com
fireworkspoint. com
movie4thjuly. com
fireworksholiday. com
moviesfireworks. com

Instead of registering these domains through Xin Net Technologies, this time around they were registered through China Springboard, Inc. It is quite likely that this provider will be one to watch for the next few holidays.

The bot itself continues to maintain a list of peer nodes for its P2P over HTTP technology in clean XML formatted data and is packed with techniques consistent with those used prior to this release — not much has changed here.

Happy Fourth of July to our American readers and safe browsing!

Posted in Bot, Social Engineering, Waledac | No Comments »

Swine Flu and Canadian Pharmacies

Tuesday, April 28th, 2009

Not surprisingly, spammers are taking advantage of the current swine flu news topic to link to the very same Waledac-style Canadian pharmacy sites that we have presented in previous posts.

This news event campaigning is reminscent of the Storm-cum-Waledac groups’ efforts over the past couple of years. Nothing new, nothing ancient here. We have not seen any client side exploit sites set up for this event just yet and speculate that the Waledac group’s botnet has reached an economy of scale and attracted some unwanted attention via inclusion of the bot in the Conficker and Koobface efforts.

Here is a current storefront matching previous Waledac spammed Canadian pharmacy storefronts. While they have moved on from registering through Xin Net Technology in China, the randomized domain names are being generated with the same patterns under a similar provider:

Posted in Spam, Waledac | No Comments »

« Older Entries