MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

4.7.09

Massive campaign to spread/infection Waledac launched by using as excuse the Independence Day of USA

After a long period of inactivity, the creator (or creators) of the trojan Waledac, executed yesterday July 4 (U.S. Independence Day), a new campaign to spread using the same mechanism that characterizes Waledac and characterized Nuwar in time; Social Engineering.

This time the excuse is Independence Day which is celebrated in the U.S. and the mechanism of propagation is the simulation of a video showing the alleged fireworks for the celebration of the special day.

It's likely that this massive campaign to spread/infection ends with a fairly high rate of infection because the vector by which the threat is spreading is the email that respecting a characteristic of spam, massive, reaching millions users utilizing the computational power of the botnet comprising Waledac.

We don't currently have any relevant characteristic that differentiates the mechanism of spread used on this occasion in relation to the above, perhaps the activity period is extended for a good while.

Still, there are obvious analogies. For example, continues to make use of BlackHat SEO techniques in the composition of domain names alluding to the excuse used by (firework, 4th, independence, happy, july, movies, video).

Among the domain names created from these words are (an active spreading waledac):

videoindependence .com
video4thjuly .com
outdoorindependence .com
moviesindependence .com
movieindependence .com
moviesfireworks .com
moviefireworks .com
movies4thjuly .com
movie4thjuly .com
interactiveindependence .com
holifireworks .com
holidaysfirework .com
happyindependence .com
4thfirework .com
freeindependence .com
 4thfirework .com


The names of binaries used by Waledac to date are:

install.exe 885ac83376824a152f2422249cf4d7e5, b5f3d0150fb4b7e30e7a64d788e779e0 or 424a85c096ce6d9cbbe8deb35a042fda

movie.exe 74c3b53958527b8469efa6e6d8bccaf9, 2740cee619deccad6ed49ff6a23ebd14, a45d0405518ad2c294ed1b151e808f55, 426e031049675c8136c6739530057ba5, 395b1d4a68f435416cbb69cae0c220c7 or 28de1675b2694927c16d34eacdafbc56

run.exe 30a6e0e3bdb000ce85dc8d754582f107, b14c93fb2cf91d2a03e20f7165101f5e or 3083b6bc236121e6150f13f3d0560635

fireworks.exe c62c388472695589bd5e0f4989d93ab0, ae2fc409bd054047f9582fb9f76eb1aa or 1b21e77b08c31bf99e5cc3f6cfd11954

setup.exe 3c067587383d3c26a3b656f25c54ea47, f2589d96b7f6838ae322e4c6739efd07, 543630de475994ce778fa35ce45984f4 or 9fa07157ee1e1c1b86a27df816596d13

patch.exe dcde62f021146696100d87b9c741be73, 6811725f3cdda17ba5f8877f02a796d4, d655566ba4911fc0ff60d197d54dff2c or 395b1d4a68f435416cbb69cae0c220c7

video.exe 499db7f0870ce5de80193996179445e5, c1a3ef240be48fb500167aaedb72bdcf or 02ed2300a349a0c20c5b15b06130ba1f

Through the monitoring carried out this threat sudosecure.net since he was born under the name Nuwar can see this information graphically.


Similarly, we can visualize a lot of graphic information such as IP addresses involved in the dissemination of Waledac. In this case, the Top 10 and, considering that the campaign is focused in the U.S. (although this does not mean that the number of people infected is limited to the U.S.), it's logical to believe that the majority of infections are given in first instance in this country.

On the other hand, continues to implement Waledac masking technique as Fast-flux techniques, using different IP addresses for the same domain.

videoindependence .com
98.211.105.230 > United States
76.106.189.169 > United States
201.213.72.205 > Argentina
201.21.134.78 > Brazil
201.6.212.62 > Brazil
201.212.3.94 > Argentina
69.148.172.231 > United States
99.141.124.192 > United States

video4thjuly .com
72.225.252.27 > United States
71.193.54.175 > United States
84.109.243.13 > Israel
200.108.196.153 > Uruguay
201.241.106.65 > Chile
200.26.178.12 > Paraguay
201.213.101.148 > Argentina
81.97.116.82 > United Kingdom
76.103.252.191 > United States
201.6.229.122 > Brazil
68.56.57.51 > United States
200.112.184.67 > Argentina
67.242.8.170 > United States
82.162.25.19 > Russian Federation
84.253.71.15 > Russian Federation

Waledac has emerged from the shadows once again turning its classic strategy that will continue to spread its campaign to spread/expand their botnet infection with the recruitment of more zombies. 

Related information this Blog
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
Waledac más amoroso que nunca
Waledac e Ingeniería Social en San Valentín

Jorge Mieres

0 comentarios:

Post a Comment

Subscribe to: Post Comments (Atom)