« December 2008 · June 2009 · March 2010 »

February 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
232425262728 
March 2009
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     
April 2009
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   

Calendar:

  • 29.04.2009: Federal Reserve Spam/Malware Attack is After Your Data
  • 21.04.2009: Waledac Joe Jobbing Again?
  • 16.04.2009: Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009
  • 01.04.2009: Waledac Joe Jobbing Blizzard Image Hosting?
  • 31.03.2009: Conficker Working Group
  • 02.03.2009: See below.
  • 21.02.2009: More on the Adobe Acrobat 0-Day
  • 19.02.2009: When PDFs Attack - Acrobat [Reader] 0-Day On the Loose
  • 16.02.2009: Shadowserver - ASN & Netblock Alerting & Reporting Service
  • 12.02.2009: Joint Effort at Conficker Disruption
  • 02.02.2009: Reports and Data
Newest first Oldest first

Monday, 2 March 2009

Waledac Coupon Campaign & Updated Domain List


We have been slacking some on updating the Waledac domain list, but managed to make some updates yesterday. The domains are kept updated at the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt

We have also introduced a new URL which is all of the Waledac domains in alphabetical order with no comments or anything else. It currently has 143 domains on it and can be reached via the following URL:

http://www.shadowserver.org/wiki/uploads/Calendar/waledac_list.txt

These should both be updated at the same time from now on as we add new ones to the list. Please use the domains as you see fit for detecting malicious activity and proactive blocking. The following 39 domains have recently been added to list: 

	beadcareer.com
	beadworkdirect.com
	bestcouponfree.com
	bestmazdadealer.com
	bluevalentineonline.com
	buymazdacars.com
	codecouponsite.com
	deathtaxi.com
	funnyvalentinessite.com
	greatcouponclub.com
	greatmazdacars.com
	greatsalesavailable.com
	greatsalesgroup.com
	greatsalestax.com
	greatsvalentine.com
	greatvalentinepoems.com
	macride.com
	mazdaautomotiveparts.com
	mazdacarclub.com
	mazdaspeedzone.com
	netcitycab.com
	petcabtaxi.com
	smartsalesgroup.com
	superpartycab.com
	supersalesonline.com
	thecoupondiscount.com
	themazdacar.com
	themazdaspeed.com
	thevalentinelovers.com
	thevalentineparty.com
	wirelessvalentineday.com
	workcaredirect.com
	workhomegold.com
	worklifedata.com
	yourcountycoupon.com
	yourmazdacar.com
	yourmazdatribute.com
	yourvalentineday.com
	yourvalentinepoems.com

New Theme & Exploits


In the last week or so too, you may have noticed that Waledac recently moved to a new theme about the Economic Crisis and having downloadable coupons. This is just the latest social engineering lure to attempt to get users to install the trojan on their system.

Additionally, for some time now, Waledac has been linking to exploit code that it hosts itself. Lately the domain involved seems to frequently be "chatloveonline.com" with an iframe pointing to it and the URL "/tds/Sah7". See be on the lookout and don't visit Waledac domains to avoid the exploits.

=>Posted March 02, 2009, at 12:20 PM by Steven Adair