Friday, July 3, 2009

Are You Ready for Independence Day Fireworks? Waledac is!

Loyal Blog readers will know that the UAB Spam Data Mine has been tracking the Waledac spam campaigns since their onset. We've followed this worm through the Obama inauguration, Valentine's Day, A Fake Grocery Coupon scam, a Fake Reuters story about a terrorist bomb, and an SMS Spy program. Of course ALL of the domains associated with Waledac infection have been registered on ENAME.cn, the horribly managed Chinese registrar who seems to register more domains used in spam and malware than any other registrar on earth! Even though many of the SMS Spy version of the domains are still live, they have been forwarding to Canadian Pharmacy websites recently.

Until today.



Here is a sneak preview of the newest version of Waledac. Although the spam campaign has not yet started, the websites are already displaying this new YouTube page promising "Colorful Independence Day events took place throughout the country". The past tense indicates to us that this campaign probably won't take off until late on the day of July 4th. The video claims to be the "South Shore's Fourth of July fireworks show" which has been named by "The American Pyrotechnics Association" as the best display in the nation.

As with previous versions though, the problem is that when you click "play" on the fake YouTube page, you are invited to run "install.exe". What is that?

Unfortunately, its a demonstration of how Anti-Virus products work. Anti-virus products start to detect a virus when enough people complain about the virus to warrant the addition of the virus to their library of anti-virus signatures. In this case, because the virus hasn't been spammed yet, almost no one has complained, and as a result, almost no one knows that it is a virus. By the time the virus begins to spread on Saturday evening of a holiday weekend, how many anti-virus engineers will be in the shop to write a definition?

4 of 40 anti-virus products know to block this program!


Last year of course it was the Storm Worm that was spreading via Fourth of July fireworks, as we covered in our story Storm Worm Salutes Our Nation on 4th.

Hopefully with a little advance warning, we'll do a better job protecting ourselves this year!

We infected one machine with this version of Waledac to see what happened. The most immediate impact is that we started sending spam. The "install.exe" which we downloaded actually had the SMTP engine built in, so we would say this is the primary purpose. The Waledac executable is also doing huge volumes of peer to peer traffic, as before, talking to many things which seem to be nginx servers (but which are actually nginx Proxy servers.)

In addition to the spam-sending, we made connection to the website "securitytoolspro.com", which downloaded an executable "12690784.exe", which is actually a fake anti-virus product.

The first action of this download is to change our windows wallpaper to look like this:



Then the install begins:



After "scanning" our computer, it asks us to "Remove All Threats", which involves buying the product from a website:



An unpacked version of the Waledac malware can be retrieved from Eureka, which I used to do a lazy man's unpack:

Eureka Report. Clicking the "Strings" tab of that report will provide many hard-coded IP addresses which are part of the "start up" process for the peer to peer network.

UPDATE


We had set our spam traps up to let me know when we got our first Waledac Fireworks spam, and it JUST came in while I was at dinner! (Roughly twelve hours after my initial post of this article PREDICTING this spam campaign.)

The first spam message we received on this campaign was received from a Russian IP address, 94.255.18.91, and used the email subject: "Light up the sky". The body of the message was only one line, as with previous Waledac campaigns, and read: "American Independence Day" and contained a link the virus.

The hostile website in this email was "moviesfireworks.com".

Other email subjects we've seen include:

America the Beautiful
Celebrate the spirit of America
Celebrating the spirit of our Country
Celebrations have already begun
Happy Birthday America!
Long Live America
Super 4th!

The single line of text in the bodies of the emails have included:

America the Beautiful
Bright and joyful Fourth of July
Celebrate the spirit of America
Happy Birthday, America!
Long Live America
Super 4th!
The best of 4th of July Salute

So, we believe that the same spam template variable is probably being used for the subject line and the email body line.

The domain names we have actually seen in received emails so far are:

fireholiday.com
fireworksholiday.com
holidayfirework.com
holidaysfirework.com


As with all previous Waledac spam, these are "Fast Flux hosted" on a multitude of IP addresses.

Other Domain Names (DO NOT CLICK!!!!!)

fireworkspoint.com
moviesfireworks.com
moviefireworks.com

Jeremy from SudoSecure responded to one of my posts with information from his excellent Waledac tracker. I have to point out that his domain list is VERY complete, and that his blog post was one hour earlier than mine. 8-) But we aren't competing . . . 8-)

4thfirework.com
fireholiday.com
fireworksholiday.com
fireworksnetwork.com
fireworkspoint.com
handyphoneworld.com
happyindependence.com
holidayfirework.com
holidaysfirework.com
holifireworks.com
interactiveindependence.com
miosmschat.com
movie4thjuly.com
moviefireworks.com
movieindependence.com
movies4thjuly.com
moviesfireworks.com
moviesindependence.com
outdoorindependence.com
superhandycap.com
thehandygal.com
video4thjuly.com
videoindependence.com
yourhandyhome.com


Waledac Tracker at SudoSecure

Jeremy's Waledac Blog post



Domains should be updated here as people see them in their spam . . .

http://rss.uribl.com/nic/CHINA_SPRINGBOARD_INC_.html

These are being registered on China Springboard, which is a change of Registrar for Waledac, who has always used ENAME before. Of course the ENAME registrar is still loaded with horrible volumes of spam:

http://rss.uribl.com/nic/XIAMEN_ENAME_NETWORK_TECHNOLOGY_D_B_A_ENAME_CN_ENAME_COM.html


Thanks to our friends at URI Black List for providing those real time feeds of bad domains from Chinese registrars for us. They also have a feed for XIN NET:

http://rss.uribl.com/nic/XIN_NET_TECHNOLOGY_CORPORATION.html

No comments:

Post a Comment