Video Screencast Help

W32.Waledac.B Carrying New Year Wishes

Created: 05 Jan 2011 16:33:43 GMT • Updated: 23 Jan 2014 18:23:27 GMT • Translations available: 日本語
Suyog Sainkar's picture
+2 2 Votes
Login to vote

Since the close of 2010, Symantec has been observing a recent spam attack that is designed to distribute malware. On the arrival of the new year, Internet users often send best wishes to their friends and families through email or make use of online greeting card services. The spammers have exploited this likelihood, since the email messages in this spam attack appear to contain Happy New Year wishes in the form of an e-card, but in fact are distributing malicious code.

Below are some sample subject lines observed in this spam attack:

Subject:  New Year Ecard Notification
Subject:  Have a funfilled and blasting NewYear!
Subject:  Welcome 2011!
Subject:  Happy 2011 To U!
Subject:  Sparkling wishes on the New Year
Subject:  Happy New Year Wishes!
Subject:  Have a Happy New Year!
Subject: New Year 2011 Ecard Special Delivery

The message text urges the user to click on the link provided in the body in order to view the e-card. Once the link is clicked, purportedly to view the e-card, the user is asked to download and install an executable file named “install_flash_player.exe.” The malware payload hidden behind the link in the email leads to W32.Waledac.B. The IP address of the attacking machine is detected as 91.204.48.50:80, which is located in Ukraine.
 

 


 
Many of the URLs in the spam message body are made up of recently created domains that have been registered in China. Below are the sample URLs observed in the spam message body (the URLs have been obfuscated for security reasons):

hxxp://jXXh.scypap.com/?card=24aadeXXXXX7ed649d4654
hxxp://uXXctr.bitagede.com/?card=9ee877XXXXX0dc11c5b04015038
hxxp://dXXht.leolati.com/?cardnum=7abe4aXXXXX34843690cd36de05b1
hxxp://aXXq.elberer.com/?cardnum=2c1XXXXX67

If any of the above links are followed during the spam attack, the user is directed to the attacking machine from which the malware is downloaded. The domain names in the attacking URLs are of type [domain].co.cc.

Although the above spam attack was seen as active until January 3, 2011, its volume was comparatively greater from December 29, 2010, to January 1, 2011. During the recent holiday season, a couple of other spam attacks were observed to be making the rounds on the Internet.

Some people may consider a new career opportunity in the new year and the spammers have made every attempt to target such users to this effect. A spam attack offering a new work opportunity to be accomplished from one’s own home was observed recently. The message directed the users to visit a shortened URL in the message body, which was giving out details of a bogus job offer.

Pharmaceutical spam and product offer spam messages were observed at the beginning of the holiday season and they continued throughout. Many of these spam messages were made up of URL links that used URL-shortening services.

Below are some sample URLs observed in one of the recent pharmaceutical spam attacks, making use of URL shortening services:

hxxp://2.gp/cXX8
hxxp://fon.gs/pXXX9o/
hxxp://fon.gs/lXXX1c/
hxxp://pnt.me/dXXXme
hxxp://nbx.ch/dXg
hxxp://crum.pl/1XXct

A spam attack in German offering fake pharmaceutical products was reported in one of our previous blog posts. This spam attack was modified for the new year holiday season. The English translation (using Google translate) of the subject line of the below message in German is as follows:

Subject: Potent into the New Year 2011
 

Symantec customers can be assured that Symantec’s mail security products (powered by Brightmail technology) block these and other types of spam email attacks.

From all of us at Symantec, here’s wishing you a very happy and secure new year 2011!

-----------------

Note: My thanks to Suji S. and Anand Muralidharan for the spam samples contributed for analysis in this blog.