A new variant of the infamous Waledac worm has come to light due to our friends at Shadowserver.com. Symantec detects this variant as W32.Waledac.B. The Modus Operandi used in this Waledac campaign has not changed much since we initially encountered Waledac. Waledac is still using email holiday greeting card spam to spread itself and other threats. This will be seen in our blog, ‘W32.Waledac.B carrying New Year wishes’.
If a victim follows the URL presented to them in the fake spam email holiday greeting card, they are directed to a site similar to the one seen below.
The attackers then use a two prong attack on their victim; first they try to trick the victim into downloading their payload through the usual social engineering tactics of not having the correct software installed to view the greeting card, secondly, the site redirects the host to a Web exploit kit which looks for vulnerabilities in your Web browser to try and clandestinely install their payload. If the attacker is successful, multiple threats are downloaded onto the victims system. As seen in previous Waledac campaigns they are installing a misleading application onto the victim’s system. In this case the misleading application is ‘HDD Fix’.
However, as mentioned, we have seen several different threats being downloaded onto the victim’s compromised system as a result of visiting the URL in the spam email. The threats seen so far include Trojan.FakeAV, Downloader, Backdoor.Tidserv, Trojan.Zefarch, and Trojan.Karagany.
Results of monitoring the unique IP addresses seen within the current Waledac fast flux botnet for a period of 24 hours would suggest that at this stage the botnet is relatively small with less than 1000 bots. Waledac however has a history of being a slow starter, building up over time through continued spamming campaigns and has the potential to grow back to previous heights. The heatmap below shows the current distribution of unique IPs observed within the Waledac fast flux botnet.
Waledac fast flux unique IP heat map:
Symantec has antivirus detection is in place for all the threats mentioned in this blog. The Intrusion Prevention Signature (IPS) ‘HTTP Java LaunchJNLP DocBase BO’ also stops access by the Web exploit kit. However, as always Symantec recommends that you keep your definitions up to date to ensure protection against new threats.