Monday, March 16, 2009

Waledac: Fake Dirty Bomb in Your City

In the February 25th edition of this Blog, Watch Out For Coupon Offers, we described how the Waledac malware family was being distributed in spam pretending to be from "The Couponizer". One of the unique additions to that campaign was that the criminal was using a GeoLocation service on his website to customize the website to reflect the location of your computer.



So, in my location, the headline reads "Powerful explosion burst in Birmingham this morning.", but that is because the criminal has resolved my originating IP and determined I was in Birmingham, Alabama.

In today's version of the Waledac spam, we see the same brief emails which were used in the Valentine's Day and Couponizer Waledac campaigns. A small phrase as the subject line, such as:

Haven't you been there?
I hope you are in good health
What a tragedy!
Take care about yourself!

and another small phrase in the body, such as:

Are you and your friends ok?
How do you feel?
I worry about you
We worry about you

followed by a link to a website, ending in "main.php" or "run.php" or "contact.php", or with no filename at all - just the path.

Clicking on the video controls will prompt for the download of an executable - "news.exe" in my case, which would join your computer to the spamming botnet.

VirusTotal gave a 7 of 39 detection rate for this malware.

click here for VirusTotal Report.

For whatever reason it seems that NOBODY is shutting down the Waledac domains. We reviewed 57 recent and current Waledac domains, and found that only six of them were not currently resolving.

Here is the list of domains associated with Waledac:

adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestbreakingfree.com
bestcouponfree.com
bestgoodnews.com
bestlovehelp.com
bestlovelong.com
bluevalentineonline.com
breakingfreemichigan.com
breakinggoodnews.com
breakingkingnews.com
breakingnewsfm.com
breakingnewsltd.com
chatloveonline.com
cherishletter.com
cherishpoems.com
codecouponsite.com
extendedman.com
farboards.com
funloveonline.com
funnyvalentinessite.com
goodnewsdigital.com
goodnewsreview.com
greatcouponclub.com
greatsalesgroup.com
greatsalestax.com
greatsvalentine.com
greatvalentinepoems.com
linkworldnews.com
longballonline.com
lovecentralonline.com
lovelifeportal.com
reportradio.com
romanticsloving.com
smartsalesgroup.com
spacemynews.com
supersalesonline.com
thecoupondiscount.com
thevalentinelovers.com
thevalentineparty.com
tntbreakingnews.com
wapcitynews.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worldnewsdot.com
worldnewseye.com
worldtracknews.com
worshiplove.com
youradore.com
yourbreakingnew.com
yourcountycoupon.com
yourgreatlove.com
yourlength.com
yourvalentinepoems.com

You can clearly see that some are "News", some "Coupon", and some "Valentine" related, but they are almost all still active and still infecting people's computers in an attempt to regrow the Waledac spamming botnet.

The domain names use only four different identities in their WHOIS data:

yanshi_ying@yeah.net (Yan Shi Ying)
ed30673637@126.com (Zhao Jun Hua)
meishengchang@163.com (LiPaul Kunshan Yunshu Gongsi)
wusong_ccc@126.com (Zhang Min)

We don't know the size of the Waledac spamming botnet right now, but we were able to quickly make a list of more than 1,200 machines which are currently "hosting" the webservers used by the malware. I've made a file available of 1,235 IP addresses currently hosting Waledac web proxy servers, but that is only a tiny sample of the overall population. Domain owners will find the IP addresses sorted by Country Code, then ASN/Organization, and then IP. Country codes of the bots include:

AR, AU, BA, BE, BG, BR, BS, BY, CA, CH, CI, CL, CN, CO, CS, CZ, DE, DK,
EE, ES, EU, FI, FR, GB, GE, HK, HU, IE, IL, IN, IR, IT, JP, KR, KZ, LT,
LV, MA, MD, MK, MY, NL, NO, PH, PL, PT, RO, RS, RU, SE, SI, SK, TH, TN,
TR, UA, US, UY, VN, and ZA.

(Quiz yourself - How many of those country codes do you know?
Need to cheat? - list of country codes)

The distribution of infected machines in my little snapshot is quite diverse. More than 300 networks from 60 different countries, with no network having more than 60 of the 1,235 machines on my list.

The top networks in my unscientific snapshot were:
59 machines - ComCast ASN 7922 (USA)
58 machines - Proxad ASN 12322 (France)
54 machines - Rogers Cable ASN 812 (Canada)
52 machines - AT&T ASN 7132 (USA)
51 machines - NTL Group ASN 5089 (Great Britain)
44 machines - Shaw Communications ASN 6327 (Canada)
34 machines - Charter Communications ASN 20115 (USA)
27 machines - ComCast ASN 33491 (USA)
26 machines - Road Runner ASN 11427 (USA)
20 machines - ComCast ASN 33278 (USA)

The full list is available as an Excel spreadsheet or as a CSV file.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.