WALEDAC celebrates Independence Day, too

Holidays are almost always the target of significant spam and malware attacks, and this Fourth of July is turning out to be little different. A new WALEDAC variant – detected as WORM_WALEDAC.DU – has been sending out Independence Day spam messages. (In fact, last year there were multiple fourth of July attacks, one of which involved the Storm botnet.)

These messages contain links to a site which appears to be from Youtube:

Figure 1: The website with the supposed video

The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU. This particular technique has been used many, many times before, but it’s still quite effective.

Fortunately, however, the malicious file is already detected by the Trend Micro Smart Protection Network, so users don’t need to worry about this threat.

Post from: TrendLabs | Malware Blog - by Trend Micro

WALEDAC celebrates Independence Day, too

News ::  trendmicro



Povezani zapisi:

08-12-2010 15:10

WALEDAC Still Spreading via Malicious Attachments

Back in February, ihe infamous WALEDAC botnet had been shut down with the takedown of its command-and-control (C&C) servers. However, in recent weeks, it seems to be making a comeback of sorts.

In the past few weeks, there has been something of an increase in the number of spammed messages delivering malicious attachments to users. One of the earlier variants we have seen poses as an annual “Social Security” statement.

Other hooks used resumes and job offers, weddings, and even a puzzle.

Using malicious attachments is a very popular method used to spread malware via email. However, we’ve seen many recent attacks that use almost-identical payloads. Two variants have been seen with a malicious attachment either being a FAKEAV variant like TROJ_FRAUDLO.LO, TROJ_FAKEAV.SGN, and TROJ_FAKEAV.FGZ or a downloader that also leads to FAKEAV and BREDOLAB variants.

Some of these downloaders, however, use malware that are part of the WALEDAC family. For example, the downloader associated the Social Security spam attack is TROJ_WALEDAC.AIR, which in turn downloads TROJ_FAKEAV.ZZS and TROJ_BREDOLAB.WV.

This may be a surprise to some readers, as it was reported back in February that the WALEDAC botnet has been taken down. It should be noted, however, that what has been taken down was only WALEDAC’s sophisticated C&C mechanism. Multiple parties are involved in many cybercriminal attacks. For instance, one party may have written the code, a second spreads the malware and controls the C&C server, and a third uses the botnet to carry out spam campaigns using an email list supplied by a fourth group. It’s likely that in this case, WALEDAC code, whether new or old or repurposed, was reused to serve as a malware downloader.

With this in mind, it’s easy to see how WALEDAC is making a comeback of sorts even if its main C&C servers have been removed from the picture. Even if you can deal with one aspect of a threat, others can still cause problems down the road.

Trend Micro detects these emerging BREDOLAB, FAKEAV, and WALEDAC variants using the detection names mentioned above. In addition, the above-mentioned spam are already being blocked by Trend Micro products with the aid of Smart Protection Network™. A white paper looking at the behavior of the original WALEDAC botnet may also be found here.

Post from: TrendLabs | Malware Blog - by Trend Micro

WALEDAC Still Spreading via Malicious Attachments

Microsoft LNK vulnerability fix coming on Monday, (Fri, Jul 30th)