- 29.01.2009: Asprox Goes Phishing Again
- 24.01.2009: More Waledac Domains to Block
- 22.01.2009: Asprox - It's Baaaaaaack
- 19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
- 09.01.2009: Waledac Domains - Updated List
- 31.12.2008: See below.
- 11.12.2008: IE7 0-Day Exploit Gets Worse
- 10.12.2008: IE7 0-Day Exploit Sites
- 05.12.2008: Anti-Fraud Website Under Constant DDoS Attack
- No entries for November 2008.
Wednesday, 31 December 2008
Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
You wouldn't have to be living under a rock to have missed out on all the "Waledac" excitement from the past week and a half or so, but it is definitely fairly widespread. In case you missed it we're going to recap, provide some new details, and throw out some conjecture. A new trojan, which has been called a Waledac variant, appeared in recent weeks hyping up Christmas e-cards with nice inviting e-mails leading you to cute website that you can get your e-card at. We know what you are thinking already and we probably both speculating the same thing.
For the end user it all starts with a nice inviting e-mail that looks something like this:
If one decides to click the link from the e-mail, it will lead to a website that looks like this:
These e-mail lures have involved several different domains of which all are part of a fast flux network. Each of the domains has a TTL set to 0 for its DNS record. Nearly each time the domains are resolved a new IP address is returned. Thus making the network rather difficult to shut down. The best option is to block the domains. The following is a list of all of the domains known to Shadowserver to be associated with the Waledac trojan:
bestchristmascard.com blackchristmascard.com cardnewyear.com cheapdecember.com christmaslightsnow.com decemberchristmas.com directchristmasgift.com freechristmassite.com freechristmasworld.com freedecember.com funnychristmasguide.com holidayxmas.com itsfatherchristmas.com justchristmasgift.com livechristmascard.com livechristmasgift.com mirabellaclub.com mirabellaonline.com newlifeyearsite.com newmediayearguide.com newyearcardcompany.com newyearcardfree.com newyearcardonline.com newyearcardservice.com superchristmasday.com superchristmaslights.com superyearcard.com themirabelladirect.com themirabellahome.com whitewhitechristmas.com yourchristmaslights.com yourdecember.com youryearcard.com
Additional exploit domains seen from these domains that are not fluxing or in e-mails:
seofon.net seocom.name seocom.mobi
The Malicious Binary and Peer-to-Peer over HTTP
The binaries we have seen recently have been around 380KB in size. Once executed the trojan immediately starts beaconing to a seed list of IP addresses that are embedded in the executable. It also adds a String Value named "PromoReg" entry to load itself from the registry via '''HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run '''. The file is loaded right from whereever it is downloaded to, which in most cases on an infected system will be the Temporary Internet Files directory.
As we mentioned the trojan is fairly loud and starts beaconing right away to seeded hosts. The following is an example of a POST and server response that we observed in testing:
HTTP/1.1 200 OK
Date: Mon, 29 Dec 2008 17:17:22 GMT
As you can see the payload traffic is not very readable. Looking at the string values of the trojan running in memory we can see there are a number of references to OpenSSL and different PKI items to include a public certificate. While we have not analyzed it to this level, we suspect the network is using some form of strong encryption for this communication. The transport traffic itself is all unencrypted HTTP, but the payload as seen above is certainly not clear text.
It would seem that web servers nodes forward on and send traffic to other web server nodes effectively working in a peer-to-peer network. As our friend "W" calls it.. HTTP2p. There is certainly a back end mothership somewhere, but it does not seem that infected web nodes talk directly to it or at least not every time. It is also interesting to note that if the trojan does not successfully connect to any of its seed IPs for ten minutes it will then attempt to grab a php file from one of the domains that is hard coded inside the binary.
Public Certificate: SHA-1 Signing with RSA 1024 Encryption
We mentioned that there was a certificate in memory that was easy to see and rip out. Well here it is for you to view:
A few interesting items from the plain text to note:
Since we haven't reversed it or heard about anyone that has we are not sure entirely what to make of this. This key could potentially be used for encryption even though it has expired. Then again it could be using any other number of means to encrypt this data. I am sure we will see some reports out soon that help clarify all of this.
Right! You are not the only one thinking this. In fact a lot of people are drawing similar comparisons. There are a ton of differences, but there's also a bunch of similarities for sure. Here's a few similarities we along with our fellow collaborators/security researchers have come up with:
- Fast-flux Network (domains are fast fluxing and name servers frequently change IPs)
- Several Name Servers per Domain (ns[1-6].<waledac.domain>)
- Use of Nginx (sure lots of people use it, but hey it's a similarity)
- Spreading through e-mail and Holiday Themes
- Use of "ecard.exe" and "postcard.exe" (both previously used by Storm)
- Drive-by Exploit in Domains (Storm previously used Neosploit)
There's also a ton of differences which we are not going to list. We can't say for sure that they are related but we do acknowledge a number of interesting similarities.
Prevention and Detection
The first step as always is not not click the links from your e-mail. This will keep you relatively safe and Waledac free. However, we all know that can and will click nearly anything. Your next step is to block the above listed domains. There will surely be new ones added to the mix in the future, but blocking this will definitely help in the near term. Antivirus being up to date can't hurt either.
However, let's assume you get infected or someone comes on to your network infected. How about a nice Snort signature to detect this traffic. Now available in the Emerging Threats ruleset:
Have a Happy and Waledac/Storm free 2009 everyone!
Shadowserver would like to thank W, bertdg, and scholar for their feedback, contributions, and collaboration with respect to research on both Waledac and the Storm Worm.
=>Posted December 31, 2008, at 11:53 AM by Steven Adair