|
Archive for the ‘Waledac’ Category
Friday, February 26th, 2010
A recently reworded post on Microsoft’s attempt to pursue malware distribution in the courts makes it appear that something permanent and substantial has happened in anti-malware efforts (demonstrated by a legal and collaborative effort called “Operation b49″ to takedown Waledac C&C domains). Because of the complications (legal and otherwise) delaying server and domain takedowns, it’s great to see this botnet’s well-known command and control server domains pursued by the powerful legal team. On the other hand, in the meantime, users’ systems continue to be infected with Waledac. And much like the FakeAv organizations and the “John Doe” defendants that Microsoft has filed against in the courts in the past, cybercriminals herding Waledac most likely will pick up and continue to operate in the shadows beyond the reach of law enforcement — the domains and malware most likely will change to evade the takedowns pushed by their court approach. It’s a situation that has been described as “wrestling with a pig”.
In the meantime, the best way to protect yourself is with the latest install of ThreatFire. From our statistics in the ThreatFire community, we see that Waledac binaries continue to attack systems on a daily basis as a bump on the “threat landscape”. The ISC’s post title mistakenly implies that Waledac is not infecting system’s on a daily basis because the group’s “Storm-like” spam campaigns of 2009 have discontinued and because a specific list of domains have been removed, but in fact, Waledac binaries like these are attacking systems on a daily basis. For instance, over the past few days, workstations in the ThreatFire community were attacked by and protected from Waledac in the US and parts of Europe.
Anyways, the ISC handler’s post was an interesting writeup and description of past problems in takedowns (current collateral damage described here), and “Operation b49” adds another strong effort and collaboration to clean up the wild wild web. Cheers to that. Let’s hope that the Waledac bot distributors and botnet operators are worn down with the new strategy while watching their C&C servers becoming unreachable. We’ll monitor the bot’s distribution over the next few weeks and post results. Hopefully, the group is worn down for good.
Posted in Bot, Crimeware, Spam, Waledac | No Comments »
Thursday, December 31st, 2009
Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.
Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.
Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.
As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.
Posted in AMTSO, Bot, Bredolab, Crimeware, FakeAlert, Koobface, Malware Estimates, Password stealing, Rogueware, Sality, Social Engineering, Vundo, Waledac, ZBot | No Comments »
Monday, August 24th, 2009
We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm — the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality. Along with the FakeAv downloads coming from these servers, these executables may be a variant on the spambot. We’ll update this post with more information as we more accurately identify the malware.
Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:
AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.
Posted in Undetected malware, Waledac, Worm | No Comments »
|
|
|
|
