In the meantime, the best way to protect yourself is with the latest install of ThreatFire. From our statistics in the ThreatFire community, we see that Waledac binaries continue to attack systems on a daily basis as a bump on the “threat landscape”. The ISC’s post title mistakenly implies that Waledac is not infecting system’s on a daily basis because the group’s “Storm-like” spam campaigns of 2009 have discontinued and because a specific list of domains have been removed, but in fact, Waledac binaries like these are attacking systems on a daily basis. For instance, over the past few days, workstations in the ThreatFire community were attacked by and protected from Waledac in the US and parts of Europe.

Anyways, the ISC handler’s post was an interesting writeup and description of past problems in takedowns (current collateral damage described here), and “Operation b49” adds another strong effort and collaboration to clean up the wild wild web. Cheers to that. Let’s hope that the Waledac bot distributors and botnet operators are worn down with the new strategy while watching their C&C servers becoming unreachable. We’ll monitor the bot’s distribution over the next few weeks and post results. Hopefully, the group is worn down for good.

Across the U.S. the ThreatFire community saw huge numbers of FakeAv variants disappointingly being run on systems, the Vundo ad-popping trojan appearing all over desktops, and Koobface worming its way across social networks. In India, the Sality virus/downloader and varieties of bots attempted to infect systems — when ThreatFire’s community’s statistics are extrapolated out to the 40 million likely computers in that country, we can estimate that  millions of Indian systems were attacked by this virus. In China, we saw gaming password stealing worms continue to spread out across the country, most likely distributed through usb sticks and other removable drives. Hot topics consistently led to blackhat SEO and phony codecs. Socially engineered bulk email schemes delivered attachments that dropped password stealing Zbot and Bredolab downloaders, users were easily convinced that they received invoices from delivery services or social networks were updating their systems. The Conficker hype grew exponentially and is all too slowly whimpering away, while the Waledac threat mutated and began to dry up altogether.

Our PC Tools ThreatFire team finished the year with a bang. The award winning PC Tools’ Internet Security Suite and its ThreatFire Behavioral Intelligence component topped all other suites as champion in the lengthiest, most comprehensive, real-world dynamic-testing malware blocking competition to date. It’s exciting to see AMTSO dynamic testing best practices being adopted and used to better drive testing and scenarios that best evaluate malware attacks that most computer users really can encounter on a daily basis. Nice testing effort and results indeed.

As 2010 arrives, we hope that existing and new ThreatFire/Behavior Guard users around the world look forward to fewer of these threats being realized on their own systems and another year of confidence in their information driven world.

Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:

AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.

In the meantime, Waledac’s presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.

So, it is somewhat surprising that the botnet group just cannot pass up another holiday, blasting out attention-attracting mail and flashy websites. Symantec reported on the spam messages sent out to entice users to visit malicious Waledac web sites, download and install the bot. In addition to the spam, here is the grammatically incorrect Waledac text from a screenshot of the YouTube spoofed sites set up by the distributors to fool users into running the downloaded malware:

“Colorful Independence Day events took place throughout the country

This year July 4th firework’s shows were surprisingly amazing. The largest firework happend this Saturday. Unprecedented sum of money was spent on this fabulous show even despite crisis. The American Pyrotechnics Association has named South Shore’s Fourth of July fireworks show as the best pyrotechnic displays in the nation. If you want to see this fantastic show just click on the video below and press “Run”.”

When a user clicks on the phony video frame, the malicious Waledac executables with names like “video.exe”, “movie.exe”, “run.exe”, “setup.exe” and others are served up.
The victim must then run the executables, no client side exploits are being delivered on multiple observed Waledac sites. Currently, fast-flux domains to avoid for this Waledac run include (but are not limited to):
4thfirework. com
holifireworks. com
video4thjuly. com
holidayfirework. com
moviefireworks. com
fireworksnetwork. com
movies4thjuly. com
happyindependence. com
freeindependence. com
fireworkspoint. com
movie4thjuly. com
fireworksholiday. com
moviesfireworks. com

Instead of registering these domains through Xin Net Technologies, this time around they were registered through China Springboard, Inc. It is quite likely that this provider will be one to watch for the next few holidays.

The bot itself continues to maintain a list of peer nodes for its P2P over HTTP technology in clean XML formatted data and is packed with techniques consistent with those used prior to this release — not much has changed here.

Happy Fourth of July to our American readers and safe browsing!

This news event campaigning is reminscent of the Storm-cum-Waledac groups’ efforts over the past couple of years. Nothing new, nothing ancient here. We have not seen any client side exploit sites set up for this event just yet and speculate that the Waledac group’s botnet has reached an economy of scale and attracted some unwanted attention via inclusion of the bot in the Conficker and Koobface efforts.

Here is a current storefront matching previous Waledac spammed Canadian pharmacy storefronts. While they have moved on from registering through Xin Net Technology in China, the randomized domain names are being generated with the same patterns under a similar provider:

Nonetheless, potential victims/visitors are presented with a new SMS spy offer:

Bot installers that we’ve seen include smsspy.exe, smstrap.exe, smsreader.exe and install.exe. The effectiveness of this theme currently seems to be very low and observed web pages do not redirect visitors to attacking pages or other ad-sites.

‘At least 12 people have been killed and more than 40 wounded in a bomb blast near market in _______. Authorities suggested that explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables. “It was awful” said the eyewitness about blast that he heard from his shop. “It made the floor shake. So many people were running ______.” Until now there has been no claim of responsibility.’

The screenshot below shows the well worn phony Flash player download prompt for unsuspecting users, stating that “You need the latest Flash player to view video content. Click here to download”:

Very few users so far are attemping to run the Trojan files (generally around 448kb in size) run.exe, save.exe or contact.exe being distributed from these sites, which is a good thing.

After the de-peering of internet provider McColo took its badness offline last year, several researchers examined the impacted spamming botnets and concluded that a few smaller operations uneffected by the de-peering were gaining momentum. The Tedroo spambot was one of those predicted to gain momentum in 2009, and made Joe Stewart’s list of 2009 botnets to watch over at Secureworks.

A group that seems to be out of Indonesia is delivering exploits from various servers around the world with the intention of downloading and executing Tedroo spambot variants. We have observed reliable pdf-based exploits attacking user systems with vulnerable third party plugins over the past couple of days. Once running on a compromised system, the Tedroo bots connect back to a server hosted in northeastern U.S or Canada, sending up the user’s ip address, a quick report of collected system information, and a task request.
The server responds to the task request with a table-based html list containing email addresses to spam and the message content to send out. The email lists contain domains from all over the world, including cancer fighting non-profits, professional training organizations, and anyone else with an accessible email address. Spoofed senders’ addresses include domains hosted throughout Indonesian ip space. The delivered content is somewhat interesting in that it abuses akamai links to sprinkle credible business logos throughout their spam that are somewhat related to the message content.
Right now, the group is including a well-known men’s magazine’s logo claiming to be from an official site in an attempt to build credibility for their spammed links and content:

These links are redirected to a site (hxxp://freshvalued(dot)com) hosting the same online Canadian pharmacy content as the Waledac spam.

As posted earlier, please take a minute to update the software on your system. ThreatFire prevents related pdf-based exploits that we have observed and Tedroo’s spamming capabilities as well.

After the de-peering of internet provider McColo took its badness offline last year, several researchers examined the impacted spamming botnets and concluded that a few smaller operations uneffected by the de-peering were gaining momentum. The Tedroo spambot was one of those predicted to gain momentum in 2009, and made Joe Stewart’s list of 2009 botnets to watch over at Secureworks.

A group that seems to be out of Indonesia is delivering exploits from various servers around the world with the intention of downloading and executing Tedroo spambot variants. We have observed reliable pdf-based exploits attacking user systems with vulnerable third party plugins over the past couple of days. Once running on a compromised system, the Tedroo bots connect back to a server hosted in northeastern U.S or Canada, sending up the user’s ip address, a quick report of collected system information, and a task request.
The server responds to the task request with a table-based html list containing email addresses to spam and the message content to send out. The email lists contain domains from all over the world, including cancer fighting non-profits, professional training organizations, and anyone else with an accessible email address. Spoofed senders’ addresses include domains hosted throughout Indonesian ip space. The delivered content is somewhat interesting in that it abuses akamai links to sprinkle credible business logos throughout their spam that are somewhat related to the message content.
Right now, the group is including a well-known men’s magazine’s logo claiming to be from an official site in an attempt to build credibility for their spammed links and content:

These links are redirected to a site (hxxp://freshvalued(dot)com) hosting the same online Canadian pharmacy content as the Waledac spam.

As posted earlier, please take a minute to update the software on your system. ThreatFire prevents related pdf-based exploits that we have observed and Tedroo’s spamming capabilities as well. Tedroo’s capabilites to spread nothing of interest in large numbers are very high. Keep this stuff off your system.

So, it may be interesting to catch up on estimating some recent numbers for the ongoing Waledac spam operation. This afternoon’s Waledac spam blasts contained the usual content for this campaign:
1. Discount offer-related subject lines related to and links to ripped coupon themed pages serving up malicious executables
2. Pharma-related subject lines and links to pharmaceutical sites (screenshots above and below)

Subject lines and message content for category 1 (hyperlinks mangled intentionally):
Subject: “I sent you useful thing”
Message:
You probably wish to save your money, look at this
hxxp:(slashslash)greatcouponclub(dot)com(slash)discounts.php

Subject: “Latest sales news and coupons”
I want to suggest this page to you hxxp:(slashslash)thecoupondiscount(dot)com(slash)sales.php

Subject: “We can go through the crisis with it”
It’ll be interesting for you hxxp:(slashslash)greatcouponclub(dot)com(slash)couponslist.php

Subject: “A good way to save money is to use these coupons”
New list with coupons in your city hxxp:(slashslash)greatsalesgroup(dot)com(slash)salelist.php

Subject: “All my friends have already used it”
I sent you useful listing hxxp:(slashslash)smartsalesgroup(dot)com(slash)couponslist.php

Subject: “I’ve already used these coupons”
Cool! You can save your money hxxp:(slashslash)greatsalestax(dor)com(slash)list.php

Subject lines and content for category 2, the pharma spam:
Subject: Get the most of your life!
Helloween sale hxxp:(slashslash)agreeslick(dot)com

Subject: Stimulate better growth
Make your body real TNT, exploding near girls with passion and desire.
hxxp:(slashslash)bestplaceapts(dot)at

Let’s assume that the botnet currently is 30,000-40,000 hosts, with ~30,000 spambots sending out messages every second. Because of fantastic efforts like spamhaus, and the fact that various free mail hosting services have tightened up the sources of email senders that they accept email from, let’s assume that each bot can successfully deliver approximately 1.7 messages per second. With 30,000 bots, that comes to 51,000 messages per second, at a rate of 3,060,000 spam successfully sent every minute (that’s from the bot to the destination smtp server).
Now let’s estimate that 10% of that mail arrives in the users’ inboxes (due to filters and scanners of all sorts). That’s still 306,000 messages getting to users’ inboxes. And 1% of that group may actually buy something or fall for a malicious link? Would it be overestimating to guess that ~3,000 users visit a malicious couponizer page or a phony online pharmaceutical link from a single minute of Waledac spamming?

What does your math look like?