Waledac, Social Engineering and San Valentine Day

For malware current events, news or special circumstances is used as a method of deception to spread itself or other malicious code, and junk e-mail one of the most commonly used attack vectors for this purpose.

Our mailboxes are examples that describe this situation. Valentine's Day (or fans) is one of them, and if we look a little spam that inundates us, see that many make some reference to the nearby celebration.

In fact, waledac has begun its campaign to spread well before using as a spreading delusion typical image that alludes to the love by which you download a binary called love.exe that far from being loving, infects your computer into a zombie.

As a bonus, earlier this year, in addition to downloading the malware, the page containing a malicious exploit. Among them were:

googol-analisys .com seocom .name seocom .mobi seofon .net goog-analysis .com

Recently, however, developers have migrated to another image that seeks to find the same degree of "tenderness" to waledac downloading.

Some of the names used for the binary:

lovekit.exe
mylove.exe
loveprogramm.exe
love.exe
loveexe.exe
barack.exe
postcard.exe
devkit.exe
runme.exe
you.exe
onlyyou.exe
youandme.exe
card.exe
ecard.exe
val.exe
install.exe

Waledac uses Fast-Flux networks and some of the domains are used to propagate:

adorelyric .com
adorepoem .com
adoresongs .com
alldatanow .com
alldataworld .com
bestadore .com
bestlovehelp .com
bestlovelong .com
cantlosedata .com
chatloveonline .com
cherishletter .com
cherishpoems .com
freedoconline .com
funloveonline .com
goodnewsdigital .com
losenowfast .com
lovecentralonline.com
lovelifeportal.com
mingwater .com
orldlovelife .com
romanticsloving .com
superobamaonline .com
theworldpool .com
topwale .com
wagerpond .com
whocherish .com
worldlovelife .com
worldtracknews .com
worshiplove .com
youradore .com
yourdatabank .com
yourgreatlove .com
yourteamdoc .com

Many compare it to other malicious code as Nuwar (also known as storm or the storm worm) because of the similarity of their strategies for dissemination and malicious activities performed in the infected computer. However, the reality is that waledac is a dangerous malicious code that has been one of the largest botnet networks of the time.

Related information:
Understanding Fast-Flux networks
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs

# Jorge Mieres