« October 2008 · April 2009 · November 2014 »

December 2008
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728
293031    
January 2009
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 
February 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
232425262728 

Calendar:

Newest first Oldest first

Monday, 19 January 2009

Inauguration Themed Waledac - New Tactics & New Domains


We are just a day away from the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry. For example, today's entry is one that says "Barack Obama has refused to be president".

Click the thumbnail below to see a sample of what the website looks like:

New Tactics


We have also noticed just a few new changes with the activity as well.

1) Several different file names are being used for the executable now. Depending on when you request the Waledac pages, a new executable name will be sent. It appears to be rotating across multiple different names now.
2) Wildcard DNS is being used for all of the domains. This means you can search for any subdomain on a Waledac domain and still get a valid IP address back. The e-mail spams have begun using this too. A recent example is an e-mail link pointing to http ://store.greatobamaonline.com/. This allows them to further modify the links being sent out in an attempt to avoid Spam Filters.

New Domains


It appears the group registered several more domains to be used on January 15, 2009. We have been able to identify 15 new domains associated with the trojan. Note that several of them also have "wale" in the domain. It would appear they have a sense of humor. As always do NOT visit these domains as they are malicious and hosting exploit code.

New Waledac Domains:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Update: A few hours after our post we learned of several new Waledac domains that were registered and went live today. These domains are as follows:

goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

New Related Exploit Domain:

googol-analisys.com

Full Domain Listing

Click here for a full listing of Waledac domains that we are aware of -- this link will be updated as well get them.

Your best bet is to block these domains or otherwise avoid them.

=>Posted January 19, 2009, at 01:33 PM by Steven Adair