In my previous post, I covered Waledac’s bootstrap mechanisms, armoring methods, and some parts of its communication protocol. Today, I will continue to discuss its communication protocol and how it implements its main functionalities through command-and-control (C&C) messages. I will describe its various tasks and commands, how it downloads components or updates, how it constructs its spam, and lastly how it acts as an infostealer.
Types of task messages
As I mentioned last time, W32.Waledac currently uses nine types of task messages. These messages are mainly used by the malware to distribute spam templates or word lists for its spam campaigns, to send reports,...
A few weeks ago, while most people were busy preparing for 4th of July celebrations and looking forward to a long weekend, W32.Waledac launched a new spam campaign. The links in the spam emails led to a website claiming to contain a fireworks video. We have previously seen this malware use popular holidays such as Christmas and Valentine’s Day, so it is not really surprising that it would use Independence Day as well. A screenshot of the 4th of July Waledac website is shown below:
Figure 1. Screenshot of W32.Waledac's 4th of July website
W32.Waledac has launched a new spam campaign using a 4th of July theme. Below are some screenshots of sample spam emails with the new theme.
If the unsuspecting user clicks the link in the email, they will be directed to a Web page similar to the following:
The page claims to contain a video of a fireworks show for this year’s 4th of July celebration. However, clicking on the "video" actually leads to a W32.Waledac executable. Watch out for spam containing any of the following strings...
