2009-04-16

« April 2010 · October 2010 »

Calendar:

• 15.08.2010: Spam using RU domains - Who's your nameserver?
• 13.08.2010: Binary Whitelisting Service
• 02.08.2010: Of Opinions and Anti-Virus Testing
• 05.07.2010: Lies, Damn Lies, and Botnet Size
• 09.06.2010: Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers

Thursday, 16 April 2009

Waledac - New Campaign, New Domains, GeoCities, and SpywareProtect2009

By the looks of the title it one could assume we have a few updates about Waledac. This would be a correct assumption, so read on if you are interested. Early this morning (technically yesterday morning now) Waledac kicked off yet another campaign aimed at socially engineering people into installing it onto their systems. The new lure involves installing a program that will allow you to read the SMS (text messages) of someone else. The Spam lures even attempt to capitalize on snooping on a partner to see if they are being unfaithful.

A sample of what the new sites look like can be seen below:

The new campaign is basically inline with previous campaigns. It rotates out executable names and has interesting graphics. However, in our testing the source did not carry any drive-by exploit attempts this time. Then again that is likely to change at a moments notice. We would recommend deleting any related e-mails and avoiding all of the domains. Below you will find some additional information as it pertains to the latest activity.

Recent E-mail Spam Subject Lines:

	Are you interested in reading other people's sms?
	Are you sure in your partner's faithfulness?
	Are you sure that your girlfriend is faithful?
	Are you sure you want to know?
	Does your partner truly love you?
	Do you know whom is she sending sms?
	Do you really trust her?
	Do you really trust him?
	Do you trust her?
	Do you trust your partner blindly?
	Do you want to catch a cheating girlfriend?
	Do you want to get your partner off-guard?
	Do you want to know if your partner is faithful to you?
	Do you want to know if your partner is unfaithful?
	Do you want to read her SMS?
	Do you want to spy on your partner?
	Do you want to test your partner?
	Free program for reading sms
	How well do you know your partner?
	Is your partner cheating on you?
	Is your wife or girlfriend cheating on you?
	Just type the phone number and read SMS
	Keep a spy eye on your Girlfriend's mobile
	Make sure your girlfriend
	New program for reading sms
	Now, It's possible to read other people's SMS
	Now, you can read any SMS messages from any mobile phones
	Read her messages
	Read his messages
	Read his SMS
	Read other people's SMS
	Read other people's SMS online
	Read other people's SMS without any program
	Read other people's sms without registration
	Read other people's SMS without using their phone
	Read your girlfriend sms online
	Suspect your partner is being unfaithful?
	The world's most advanced sms reading program
	Wanna test her?
	You can download new program for reading sms
	Your girlfriend is cheating on you!

Files Now Served from the Waledac Sites:

	install.exe
	smstrap.exe
	trial.exe

20 New Domains

It appears that on April 13, 2009 that several new Waledac domains were rigstered with our all too familiar friends at Xinnet and eName. The following is the list of newly registered Waledac domains that should be blocked in any way possible.

	bakeloaf.com
	chinamobilesms.com
	coralarm.com
	downloadfreesms.com
	freecolorsms.com
	freeservesms.com
	fryroll.com
	goldfixonline.com
	lastlabel.com
	miosmsclub.com
	moneymedal.com
	nuovosms.com
	screenalias.com
	smsclubnet.com
	smsdiretto.com
	smspianeta.com
	tagdebt.com
	virtualesms.com
	wealthleaf.com
	yourbarrier.com

As always you can get the full list of Waledac Domains past and present via the following two URLs:

GeoCities Spam Run

Waledac is always quite busy spamming. Usually it's a lot of pharmaceutical type garbage. Recently we blogged about the continued Joe Jobbing they did against an image hosting site. Today we noticed they blasted out a ton of GeoCities links to tons of bogus accounts for spam. We have ripped out a full list of the links we have seen for download, but the below list is a short sample of some of the URLs that we spammed.

	hxxp://geocities.com/adamsnedapu28
	hxxp://geocities.com/clarkgytana49
	hxxp://geocities.com/russellhivaro99
	hxxp://geocities.com/sanchezhyxyge19

Sample Listing of E-mail Subject Lines:

	Best Casino Deal
	Best Deposit Match Available
	Casino Time
	Deposit Match 400%
	Fastest Growing Casino
	It's Casino Time
	It's time 2 play!
	Playtime has Arrived!
	Time 4 Casino
	Time to Play!
	Triple your Deposit!
	Your Casino is here...

It would appear that GeoCities/Yahoo! was able to take down the sites very fast. We were able to request several of the sites within 15 minutes of the Spam starting and we could not access any of the URLs. They were all giving 404 or 403 messages. Not a single one took us to a Casino site, so we are not sure where these would have lead. If anyone managed to visit one of the links while they were live, drop us a line and let us know where it went. You can see the whole list of GeoCities URLs we observed being spammed by clicking here.

Waledac & SpywareProtect2009

Yes the rumors are true -- Waledac did drop SpywareProtect2009 on April 8, 2009. Many people may have seen similar reports in conjunction with Conficker. Several Conficker nodes out there were instructed to update and grab a file from a Waledac domain that then installed Waledac on these systems. It appears that this was probably done shortly before Waledac instructed several of its nodes to install SpywareProtect2009. We found this very same malware installed on a Waledac system last week. It seems all the bad guys know each other or at least how to use one another's services. I guess it's a sick small world.

=>Posted April 15, 2009, at 09:03 PM by Steven Adair