A few weeks ago, while most people were busy preparing for 4th of July celebrations and looking forward to a long weekend, W32.Waledac launched a new spam campaign. The links in the spam emails led to a website claiming to contain a fireworks video. We have previously seen this malware use popular holidays such as Christmas and Valentine’s Day, so it is not really surprising that it would use Independence Day as well. A screenshot of the 4th of July Waledac website is shown below:
Figure 1. Screenshot of W32.Waledac's 4th of July website
In this blog post I will give an overview of W32.Waledac and how it works. There will be a follow-up post or two that will discuss the various aspects of W32.Waledac in more detail.
W32.Waledac is a worm and spam bot. It has the functionality to download and execute binaries, act as a network proxy, send spam, mine infected computers for data such as email addresses and passwords, and perform denial-of-service (DoS) attacks.
Symantec began noticing an increase in W32.Waledac activity around the third week of December 2008. At that time, the worm began spamming Christmas-themed emails and turning infected systems into spam bots.
The main purpose of W32.Waledac is to send spam, to propagate itself, and to download additional files onto infected machines. The spam functionality of W32.Waledac serves a dual purpose: it uses spam to both spread itself and to push dubious products. Waledac spreads by sending emails containing links to copies of itself. It tries to entice users to open the emails with social-engineering techniques, such as using holiday themes related to Christmas or Valentine‘s Day, topical news like the new US presidency, or fake news of bombing incidents that use geographical proximity to make the news report seem more sensational. Figure 2 shows a timeline of propagation spam campaigns that have been launched by this malware up to now.
Figure 2. Timeline of W32.Waledac's propagation spam campaigns
Some W32.Waledac sites have also been seen serving various browser vulnerabilities. This is done so that the worm can install itself onto a victim‘s machine when the site is visited. With this technique, even if the victim doesn‘t download or run the malicious binary, their system could still be successfully attacked if it is vulnerable to the exploits that W32.Waledac uses. Fortunately, most of the vulnerabilities used by W32.Waledac are not new and the respective vendors have already patched them. Therefore, users who consistently update their applications and systems are likely protected from such exploits. On the contrary, some W32.Waledac sites do not contain exploits at all—such as the ones that were used for the 4th of July campaign.
The spam emails contain links to malicious sites that host the Waledac executable. The authors build these malicious websites to look convincing so that a victim will trust the sites. The worm has been known to use Web pages that appear to mimic sites such as the official Obama-Biden campaign site, news articles from popular news sites, and a legitimate SMS tool (see Figure 3 for some samples). The worm gets installed when the user clicks on the malicious link and runs the downloaded file. Sometimes, W32.Waledac also makes use of client-side vulnerabilities in its attempt to exploit your browser.
Figure 3. Samples of W32.Waledac websites
Although Waledac is more known as a highly active spammer, it also has capabilities to download and execute binaries and mine infected computers for data. It is capable of updating itself, as well as downloading components to facilitate its functionalities.
More recently, the Waledac binary has been downloading and installing misleading security applications. These threats use fake system error messages, pornographic popups, or other scare tactics to trick a victim into paying a license to remove the false threats.
An example of this is the rogue antivirus applications that have been downloaded and installed on systems infected by Waledac. One of them, MS AntiSpyware 2009, is shown in the screenshot below:
Figure 4. Screenshot of MS AntiSpyware 2009
W32.Waledac is also known to send spam that doesn‘t contain any links to copies of itself, but instead promotes questionable products or services ranging from dubious job offers, to performance-enhancing pharmaceuticals, to online casino games (Figure 5). This leads us to believe that the author intended to use this malware for financial gain. The author either signed up as an ad affiliate for the product or services being promoted in the spam mails or they leased the botnet to parties interested in using it to spread spam.
Figure 5. Sample spam emails of W32.Waledac
Origin and Connections
Although we noticed an increase in activity in December 2008, the first variant of W32.Waledac was discovered in April 2008 and was delivered by the mechanisms that were used to deliver Trojan.Peacomm (a.k.a. Storm) worm components. This event linked the W32.Waledac worm to Trojan.Peacomm, but the nature of the relationship between the two is not known.
W32.Waledac was also associated with the W32.Downadup worm: on April 8, 2009, W32.Downadup.C received two update binaries through its peer-to-peer channel. One of these binaries was an update for W32.Downadup.C and the other was a copy of W32.Waledac. This was a significant event in the security community because it related the W32.Waledac worm to W32.Downadup, even though the nature of this relation isn‘t fully understood.
Another recent development with Waledac is that it has been observed to be one of the files being downloaded and installed by Trojan.Bredolab. So not only are we contemplating Waledac’s connection to Downadup, we now have Waledac’s connection to Trojan.Bredolab to consider too.
Waledac is a widespread and effective spam bot that has been enjoying success lately. Part of this success is due to the time and effort that was put into developing it; indeed, the protocol that Waledac uses to communicate is strongly encrypted. In my next posting I will delve deeper into the technical aspects of Waledac and highlight the lengths that the authors went to to protect their work.
For our DeepSight customers, a Threat Analysis report is already available on our DeepSight Threat Management System portal.