While investigating the worm W32.Waledac recently, we got a shock (and a few laughs) from what popped up on ours screens (yes, unfortunately this is what passes for kicks in the virus lab during the holiday season):
(to see how we received this – skip to “Arnold Surprise” below)
First, I’ll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:
The emails look something like the following (although the template changes slightly all the time):
From: "[FirstName]" <random@random>
Subject: Merry Christmas wishes just for you
Date: Tue, 23 Dec 2008 20:14:17 -0000
[FirstName] has just posted Merry Christmas Wishes.
To pick up your greeting card, click on the following link:
The greeting card will be stored for you for 14 days.
And, when the link is visited, you will get a message like this:
(Please don’t run the .exe!)
Even if you don’t accept the download of the ecard.exe “greeting card,” the attackers are already hard at work trying to exploit vulnerabilities in your browser. The page currently attempts to exploit many different vulnerabilities, including the zero-day vulnerability in Microsoft Internet Explorer discovered last week (patches from MS available here http://www.microsoft.com/technet/security/Bulletin/MS08-078.mspx).
The list of exploits includes:
MDAC Exploit (of course)
Adobe PDF Exploit
MS IE7 Exploit MS08-078
Qiucktime RSTP exploit
Snapshot Viewer exploit
NCTAudioFile2 ActiveX exploit
KingSoft UpdateOcx2.dll SetUninstallName() Heap Overflow Exploit
Yahoo! Webcam image upload ActiveX Exploit
Yahoo! Webcam view utilities ActiveX Exploit
Aurigma ImageUploader ActiveX Exploit
RealNetworks RealPlayer ActiveX Exploit
Creative Software AutoUpdate Engine ActiveX stack buffer overflow Exploit
CA BrightStor ARCserve Backup r11.5 AddColumn() Exploit
WebEx Meeting Manager ActiveX Control Exploit
(Patches for all of the exploits mentioned above have been released by the respective vendor previously, i.e., there are no new exploits here.)
The worm contains a long list of IP addresses that appear to be the control servers [see the writeup here for details]. The worm communicates with the control servers via a series of post requests to randomly named pages at these IP addresses and the data sent appears to be encrypted. The worm also appears to communicate with other infected hosts via a peer-to-peer channel. We are still analyzing the communication channels used by the worm. We will update this blog at a later stage with more info.
While monitoring activity on the botnet we mostly saw encrypted info being sent via post requests to the control servers. Then we noticed a large image being sent down. Curious as to what the image might be we grabbed the image from the wire and hesitantly opened it. I’m not sure what we were expecting exactly, but this old picture of Arnold certainly wasn’t it! That caught us off guard completely and gave us a good laugh (thanks?). It seems that the speed of our connection was being tested, because shortly after this the worm tried to start sending spam.
The spam that the worm was trying to send was mostly Christmas e-card emails that the worm uses to try and spread itself as mentioned above. However, we also saw the following emails being sent (we also enjoyed the poor English that is usually employed in these types of emails—it keeps us laughing too):
From: "Random Name" <firstname.lastname@example.org>
To: <victim >
Subject: Flexible Hours career_ promotion possibilities for you
Date: Tue, 23 Dec 2008 20:14:11 -0000
We found your ad of work search. First of all let me introduce. We are
the large financial company. The main types of activity:
securities,exchange services,trading services,broker intermediary.
During the global crisis we have obtain a lot of customers who are
waiting for jump of the basic stock quotes. Most of the newly acquired
customers is in the Canada. Due to features of the legislation we
cannot work directly with physical persons. To do this we need an
authorized representative or official representation. As we did not
expect huge interest from the Canada - the opening of representation
is not included in our plans. In connection with the aforesaid, we are
looking for responsible person for mediation services which will be
the official representative in your region. In more details we will
tell to you in case of your interest. Send your interest note ONLY to:
Symantec originally detected this threat as a downloader and it has now been renamed to W32.Waledac, so be sure to update your definitions. Our IPS signatures also detect exploit-related traffic from the URLs listed above and our browser protection also triggered when we visited the sites listed above.
A tip of the hat goes out to my colleague, Vikram Thakur, who shared in the research on this threat and also helped compile the info for this article. Also, over at Arbor Networks, Jose Nazario also posted a blog about this threat that you can find here.
That’s all for now, but we’ll keep you posted on any new info. So, from everyone here in the virus lab, Happy Holidays!