Shadowserver Foundation - Calendar

« October 2008 · April 2009 · May 2013 »

21.02.2009: More on the Adobe Acrobat 0-Day
19.02.2009: When PDFs Attack - Acrobat [Reader] 0-Day On the Loose
16.02.2009: Shadowserver - ASN & Netblock Alerting & Reporting Service
12.02.2009: Joint Effort at Conficker Disruption
02.02.2009: Reports and Data
29.01.2009: Asprox Goes Phishing Again
24.01.2009: More Waledac Domains to Block
22.01.2009: Asprox - It's Baaaaaaack
19.01.2009: See below.
09.01.2009: Waledac Domains - Updated List
31.12.2008: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
11.12.2008: IE7 0-Day Exploit Gets Worse
10.12.2008: IE7 0-Day Exploit Sites
05.12.2008: Anti-Fraud Website Under Constant DDoS Attack

Monday, 19 January 2009

Inauguration Themed Waledac - New Tactics & New Domains

We are just a day away from the Inauguration of Barack Obama and the Waledac trojan has been in full swing attempting to take advantage of the event. Since late last week the trojan has been blasting its way across the Internet with e-mails attempting to bring unwitting users to a page that looks a lot like the official Barack Obama website. The page is updated each day to appear to have a new blog entry. For example, today's entry is one that says "Barack Obama has refused to be president".

Click the thumbnail below to see a sample of what the website looks like:

New Tactics

We have also noticed just a few new changes with the activity as well.

1) Several different file names are being used for the executable now. Depending on when you request the Waledac pages, a new executable name will be sent. It appears to be rotating across multiple different names now.

2) Wildcard DNS is being used for all of the domains. This means you can search for any subdomain on a Waledac domain and still get a valid IP address back. The e-mail spams have begun using this too. A recent example is an e-mail link pointing to http ://store.greatobamaonline.com/. This allows them to further modify the links being sent out in an attempt to avoid Spam Filters.

New Domains

It appears the group registered several more domains to be used on January 15, 2009. We have been able to identify 15 new domains associated with the trojan. Note that several of them also have "wale" in the domain. It would appear they have a sense of humor. As always do NOT visit these domains as they are malicious and hosting exploit code.

New Waledac Domains:

bestbarack.com
bestbaracksite.com
bestobamadirect.com
expowale.com
greatbarackguide.com
greatobamaguide.com
greatobamaonline.com
jobarack.com
superobamadirect.com
superobamaonline.com
thebaracksite.com
topwale.com
waledirekt.com
waleonline.com
waleprojekt.com

Update: A few hours after our post we learned of several new Waledac domains that were registered and went live today. These domains are as follows:

goodnewsdigital.com
goodnewsreview.com
linkworldnews.com
reportradio.com
spacemynews.com
wapcitynews.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com

New Related Exploit Domain:

googol-analisys.com

Full Domain Listing

Click here for a full listing of Waledac domains that we are aware of -- this link will be updated as well get them.

Your best bet is to block these domains or otherwise avoid them.

=>Posted January 19, 2009, at 01:33 PM by Steven Adair

2009-01-19

Monday, 19 January 2009

Inauguration Themed Waledac - New Tactics & New Domains

New Tactics

New Domains