Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA
After a long period of inactivity, the creator (or creators) of the trojan Waledac, executed yesterday July 4 (U.S. Independence Day), a new campaign to spread using the same mechanism that characterizes Waledac and characterized Nuwar in time; Social Engineering.
This time the excuse is Independence Day which is celebrated in the U.S. and the mechanism of propagation is the simulation of a video showing the alleged fireworks for the celebration of the special day.
It's likely that this massive campaign to spread/infection ends with a fairly high rate of infection because the vector by which the threat is spreading is the email that respecting a characteristic of spam, massive, reaching millions users utilizing the computational power of the botnet comprising Waledac.
We don't currently have any relevant characteristic that differentiates the mechanism of spread used on this occasion in relation to the above, perhaps the activity period is extended for a good while.
Still, there are obvious analogies. For example, continues to make use of BlackHat SEO techniques in the composition of domain names alluding to the excuse used by (firework, 4th, independence, happy, july, movies, video).
Among the domain names created from these words are (an active spreading waledac):
install.exe 885ac83376824a152f2422249cf4d7e5, b5f3d0150fb4b7e30e7a64d788e779e0 or 424a85c096ce6d9cbbe8deb35a042fda
movie.exe 74c3b53958527b8469efa6e6d8bccaf9, 2740cee619deccad6ed49ff6a23ebd14, a45d0405518ad2c294ed1b151e808f55, 426e031049675c8136c6739530057ba5, 395b1d4a68f435416cbb69cae0c220c7 or 28de1675b2694927c16d34eacdafbc56
run.exe 30a6e0e3bdb000ce85dc8d754582f107, b14c93fb2cf91d2a03e20f7165101f5e or 3083b6bc236121e6150f13f3d0560635
fireworks.exe c62c388472695589bd5e0f4989d93ab0, ae2fc409bd054047f9582fb9f76eb1aa or 1b21e77b08c31bf99e5cc3f6cfd11954
setup.exe 3c067587383d3c26a3b656f25c54ea47, f2589d96b7f6838ae322e4c6739efd07, 543630de475994ce778fa35ce45984f4 or 9fa07157ee1e1c1b86a27df816596d13
patch.exe dcde62f021146696100d87b9c741be73, 6811725f3cdda17ba5f8877f02a796d4, d655566ba4911fc0ff60d197d54dff2c or 395b1d4a68f435416cbb69cae0c220c7
video.exe 499db7f0870ce5de80193996179445e5, c1a3ef240be48fb500167aaedb72bdcf or 02ed2300a349a0c20c5b15b06130ba1f
Through the monitoring carried out this threat sudosecure.net since he was born under the name Nuwar can see this information graphically.
On the other hand, continues to implement Waledac masking technique as Fast-flux techniques, using different IP addresses for the same domain.
126.96.36.199 > United States
188.8.131.52 > United States
184.108.40.206 > Argentina
220.127.116.11 > Brazil
18.104.22.168 > Brazil
22.214.171.124 > Argentina
126.96.36.199 > United States
188.8.131.52 > United States
184.108.40.206 > United States
220.127.116.11 > United States
18.104.22.168 > Israel
22.214.171.124 > Uruguay
126.96.36.199 > Chile
188.8.131.52 > Paraguay
184.108.40.206 > Argentina
220.127.116.11 > United Kingdom
18.104.22.168 > United States
22.214.171.124 > Brazil
126.96.36.199 > United States
188.8.131.52 > Argentina
184.108.40.206 > United States
220.127.116.11 > Russian Federation
18.104.22.168 > Russian Federation
Waledac has emerged from the shadows once again turning its classic strategy that will continue to spread its campaign to spread/expand their botnet infection with the recruitment of more zombies.
Related information this Blog
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
Más Waledac en acción ¿Puedes adivinar cuánto te
Waledac más amoroso que nunca
Waledac e Ingeniería Social en San Valentín