Thursday, February 12, 2009

Waledac, Social Engineering and San Valentine Day

For malware current events, news or special circumstances is used as a method of deception to spread itself or other malicious code, and junk e-mail one of the most commonly used attack vectors for this purpose.

Our mailboxes are examples that describe this situation. Valentine's Day (or fans) is one of them, and if we look a little spam that inundates us, see that many make some reference to the nearby celebration.

In fact, waledac has begun its campaign to spread well before using as a spreading delusion typical image that alludes to the love by which you download a binary called love.exe that far from being loving, infects your computer into a zombie.

As a bonus, earlier this year, in addition to downloading the malware, the page containing a malicious exploit. Among them were:

googol-analisys .com seocom .name seocom .mobi seofon .net goog-analysis .com

Recently, however, developers have migrated to another image that seeks to find the same degree of "tenderness" to waledac downloading.

Some of the names used for the binary:

lovekit.exe
mylove.exe

loveprogramm.exe
love.exe

loveexe.exe
barack.exe
postcard.exe
devkit.exe
runme.exe
you.exe

onlyyou.exe
youandme.exe
card.exe
ecard.exe
val.exe

install.exe


Waledac uses Fast-Flux networks and some of the domains are used to propagate:

adorelyric .com
adorepoem .com

adoresongs .com
alldatanow .com

alldataworld .com

bestadore .com

bestlovehelp .com

bestlovelong .com

cantlosedata .com

chatloveonline .com

cherishletter .com

cherishpoems .com

freedoconline .com

funloveonline .com

goodnewsdigital .com

losenowfast .com

lovecentralonline.com

lovelifeportal.com

mingwater .com

orldlovelife .com

romanticsloving .com

superobamaonline .com

theworldpool .com

topwale .com

wagerpond .com

whocherish .com

worldlovelife .com

worldtracknews .com

worshiplove .com

youradore .com

yourdatabank .com

yourgreatlove .com

yourteamdoc .com


Many compare it to other malicious code as Nuwar (also known as storm or the storm worm) because of the similarity of their strategies for dissemination and malicious activities performed in the infected computer. However, the reality is that waledac is a dangerous malicious code that has been one of the largest botnet networks of the time.

Related information:
Understanding Fast-Flux networks
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs


# Jorge Mieres

No comments: