Waledac Questions Answered

by Erin on February 3rd, 2009 in Industry and Security News, Security Tips.

Waledac, a new threat currently being seen, is believed by many researchers to be the replacement for the notorious Storm Worm; similarities have been noted in both its technique and behavior. As Lavasoft researchers have reported, you may have seen Waledac's work first hand through an assortment of spammed messages (holiday greeting cards, messages exploiting the inauguration of U.S. President Barack Obama and, more recently, love-related notes taking advantage of Valentine's Day) - all of which bait the user into executing the malware.

[Visualization of Waledac courtesy of Sudosecure.net]

We took some commonly asked user questions about this threat to Jeremy Conway, an independent security researcher at Sudosecure.net who has been closely tracking Waledac. Read our Q & A below to learn more.

How closely have you been following Waledac? When did it first appear?

"Waledac first appeared mid December, and I have been aggressively tracking it since the 2nd of January.  To track this worm, I have written several scripts that aggressively exploit the Double Fast Flux structure of the Waledac Botnet.  Waledac infected computers that have public IP addresses (those not behind a NAT) serve two additional functions when compared to infected computers with private IP addresses (behind a NAT), which are a HTTP proxy function and a Fast Flux Name Server function.  My scripts crawl these Fast Flux Name Servers performing Domain to IP DNS requests to identify newly infected computers.  The other portion of my tracking consists of retrieving the Waledac Trojan executable every 30 minutes and performing a simple MD5 against it to identify new versions as they are made available through the HTTP web proxies. These HTTP web proxies are infected computers that pass the latest web theme/campaign and Waledac Trojan to end users visiting any of the current Waledac Domain names.  These proxies hide the real web servers from the public and researches to protect the true command and control servers for the Waledac botnet."

How are computer users most commonly getting infected?

"The Waledac botnet's main purpose is to spew out spam.  Spam templates are passed in an HTTP peer to peer network structure between infected computers, which is why many researchers are referring to the Waledac Trojan as an HTTP P2P botnet.  This HTTP P2P structure is also used to pass other infected computer IP addresses to ensure communication and spam templates are maintained and distributed to the HTTP bots in a timely manner.Computer users are infected using social engineering spam messages. There have been several different themes/campaigns for these social engineering techniques.  The first was a Christmas theme in which a user was told he or she has received a postcard or e-card from a friend and was asked to download it. The second major theme was a political theme attempting to exploit the inauguration and popularity of President Obama.  This theme sent several spam messages that appeared to be related news such as "Barrack Obama has refused to be President".  These spam messages linked to a fake blog site with President Obama's photo on it.  On this fake blog site, all links prompted the end user to download and execute the Waledac Trojan.  The third and present theme is a Valentine's theme and spam messages like "Someone loves you".

Spam messages are also sent out for pharmaceutical messages, such as the ever popular "Canadian Pharmaceutical" spammed sites.  These sites have been covered in the past by numerous researchers and even the news media, as they offer discount drugs without a prescription.  One of the most popular items being pushed by these sites is Viagra and other male enchantment drugs."

What is the scale of the botnet of compromised PCs being created? What region has the majority of infected PCs?

"The Waledac Botnet is approximately 20,000 - 30,000 infected nodes and growing.  This estimate was derived from crawling the botnet and analyzing infected lab computers as they communicated with the botnet.According to my tracking scripts China appears to be the region hit the hardest, followed by The Republic of Korea, and then the United States.  I was personally surprised to find the United States as the third most infected region since the Barrack Obama theme appeared to target the United States specifically."

What is known about the authors of this malware?

"Very little is truly known about the real authors of the Waledac Trojan, but it is suspected that the Russian Business Network (RBN) is involved.  I believe this suspicion stems from so many researches believing Waledac is the Storm Worm replacement.  It had been suspected that the RBN was behind the Storm Worm as well."

What tips would you give everyday computer users for how to prevent getting infected?

"The best advice I can give computers users is to not download executable files from sites that claim you need to install them to view additional content on the web site.  Most legitimate web sites do not ask users to download additional software to view their content. Another piece of advice I can give is to not open email messages from people you do not know, and never follow the links inside of these messages if you do by chance open them. After that, it would be advisable to ensure their antivirus software is up to date and running."

For more information and detailed graphs visualizing Waledac, visit sudosecure.net.