Waledac: New Campaign In The Wild

July 5 2009 by Teksquisite in Security, spam |No Comments

Though Waledac has not been high profile news since April 2009, it was still
functional even in stealth mode. The gist of Waledac, is that it can copy perfectly
legitimate web sites, send out an email with a link to the spoofed (cloned) site, and once
you click on the link in an email you end up on a spoofed site replete in visual deception.
Don’t be fooled though! Most Waledac image-propped sites will silently download
a binary executable file in order to enlist your computer into the Waledac botnet.

According to the Microsoft Malware Protection Center, “Waledac is a complex spam bot.
It also has the ability to download and execute arbitrary files, harvest email addresses from the
local machine, perform denial of service attacks, proxy network traffic and sniff passwords.”

Waledac social engineering tactics have mainly been launched around holiday scenes.
The July 4th fireworks (Independence Day) spam is a little different because they are
now enticing you to view a “fabulous” July 4 video at a fake Youtube page.  When this
video is viewed, the victim is offered an .exe file.  Once the .exe file is downloaded
the system will become infected with Waledac malware (WORM_WALEDAC.DU.)

You can visit TrendLabs for more information on the July 4th version of Waledac.

According to ESET “detection of the new variants of Waledac is quite low, with only a handful of anti-virus products detecting the newest threat.”

ESET also reminds us that Waledac is controlled via peer-to-peer networks receiving commands
from its controllers. The Waledac campaign main objective is ultimately always engaged in
utilizing the infected computers to send spam.

I just received a Waledac update yesterday from the Shadowserver mailing list. You can view the latest Shadowserver calendar entry here. They also have a comprehensive list of Waledac domains that you can block via a windows hosts file.  Home users can surf over to MVPS and SpyWareVoid to learn how to block these destructive sites.

Domain owners: Malware domain block list | Shadowserver

More Waledac information:

Waledac is back just in time to have a BANG on the 4th of July

Trendmicro provides a comprehensive view of the WALEDAC botnet [awesome article]: INFILTRATING WALEDAC BOTNET’S COVERT OPERATIONS

Until Next Time – Stay Safe!



Tags: , ,

No Comments

(Required)
(Required, will not be published)

Comment moderation is enabled. Your comment may take some time to appear.

Spam protection by WP Captcha-Free

« »
Theme Tweaker by Unreal

Tekblog is Digg proof thanks to caching by WP Super Cache