MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

11.2.09

Social Engineering and Waledac Valentine

For current malware, each event, news or special circumstance is exploited as a method of deception to spread themselves or other malicious code, with the spam ornot the attack vectors used for this purpose.

Our mailboxes are concrete examples that describe this situation. The Valentine's Day (or love) is one of them, and if we look a bit of email spam that inundates us, we will notice that many do make reference to the nearby festival.

In fact, waledac has begun its campaign to spread well before spreading using a typical deceptive image that alludes to lovers whereby downloading a binary called love.exe that far from being loving, infects your computer turning it into a zombie.

As an extra component, the previous campaign by downloading the malware, malicious page containing an exploit. Among them were:

googol-analisys. com
seocom. name
seocom. mobi
seofon. net
goog-analysis. com

Recently, however, developers have migrated image to one that seeks to find the same degree of "tenderness" download also waledac.

Some of the names used for the binary are:

lovekit.exe
mylove.exe
loveprogramm.exe
love.exe
loveexe.exe
barack.exe
postcard.exe
devkit.exe
RunMe.exe
you.exe
onlyyou.exe
youandme.exe
card.exe
ecard.exe
val.exe
install.exe

Waledac uses Fast-Flux networks and some of the domains used to propagate them are:

adorelyric. com
adorepoem. com
adoresongs. com
alldatanow. com
alldataworld. com
bestadore. com
bestlovehelp. com
bestlovelong. com
cantlosedata. com
chatloveonline. com
cherishletter. com
cherishpoems. com
freedoconline. com
funloveonline. com
goodnewsdigital. com
losenowfast. com
lovecentralonline.com
lovelifeportal.com
mingwater. com
orldlovelife. com
romanticsloving. com
superobamaonline. com
theworldpool. com
topwale. com
wagerpond. com
whocherish. com
worldlovelife. com
worldtracknews. com
worshiplove. com
youradore. com
yourdatabank. com
yourgreatlove. com
yourteamdoc. com

Many compare it to other malicious code as Nuwar (also known as storm or the storm worm) because of the similarity of their dissemination strategies and performing malicious activities on the infected computer. However, the reality is that waledac is a dangerous malicious code that has formed one of the largest botnet networks of the moment.

Related information
Understanding Fast-Flux networks
Danmec Bot, Fast-Flux networks and recruitment of...

Jorge Mieres

0 comentarios:

Post a Comment

Subscribe to: Post Comments (Atom)