Thursday, July 9, 2009

Waledac/Storm. Past and present a threat

At the beginning of 2007 jumped from the darkness to begin a malicious code to be a source of important news because of their particular strategies of deception and a major campaign at the global level of infection that still remain a subject of research by the community security.

This is Storm, aka Nuwar or Zhelatin depending on the identity assigned by the antivirus companies, although it's known as "storm", perhaps alluding to the manner in which systems ravaged by which he transformed into zombies, recruiting teams under the command of the botnet.

At present, the threat posed Storm hasn't been to one side, but transferred to its twin brother, Waledac, which remains essentially the characteristic of trying to innovate in terms of apology necessary for the spread and recently has awakened after a period of hibernation.

Some features of this threat are:
  • The spread is through the unwanted e-mail (spam)
  • Uses deception strategies (Social Engineering) different for each campaign to spread
  • Through a link embedded in the body of a message routed to a site where malware is downloaded
  • The infected computers are part of a botnet
  • To complete the cycle of infection through the spread of spam
  • Fast-Flux networks
  • They have polymorphic capabilities at the server level
During virtually the entire 2007, Storm (the first appearances as a strategy of deception used to display a video on a storm unleashed in Europe) used as a means of propagation/infection e-mail with questions and topics varied inciting to click on a link embedded in the message body, which in some cases direction of a page (some of them also tried to spread Storm exploit vulnerabilities using iframe tags as resources) and others directed to the download of a binary in Storm both cases.

Already for next year (2008), Storm joined the "surprise effect" linking the e-mail link provided to a web site that accompanied the excuse presented in the case of mail with an image alluding also to the theme that, the as in 2007, rotating with each major event (Valentine's Day, Independence of the USA, Christmas, etc). In addition, some variants spread through blogs.

After several months of inactivity in terms of the spread of the threat, in January of this year appears Waledac, a trojan that uses the same mechanisms used by Storm and many security professionals are beginning to see the similarity between them.

After several investigations, says that Waledac is, one might say, the twin brother of Storm. Using the same methodologies of Social Engineering with a broad portfolio of images and themes used as an excuse to capture users' attention. Passing through images rather the typical "love" for the month of Valentine Cases of alleged terrorist attacks, among others, to the recent course on a video on YouTube.

There are, among others, two very interesting features in both Waledac Storm: the use of Fast-Flux networks and polymorphic capabilities on the server.

The first of these threats were allowed to spread across different IP addresses and using different domain names that constantly rotate between each other with the name resolution. This causes, through a certain time to live (TTL) pre-configured every x amount of jumps between nodes (infected computers) from the same domain, you download a different prototype of malware.

This leads to the second feature, the polymorphism. In this way, each time the package (malware) is established TTL attempt to download a different version of the malicious code to be "changes" every certain amount of time (also predetermined by the attacker) establishing capacity polymorphic.

The diagram below provides the direct relationship, over time, the threat was used as a strategy of deception.

Each of the zombies that are part of the botnet created by Waledac, focus your intentions in sending spam. In this sense, a very interesting extract from a report that says Waledac has the ability to send about 150,000 spam emails per day.

Perhaps, then you know that Storm/Waledac are running campaigns with high rates of spread of infection globally and overcrowded, it's clear that their creators are continuing their criminal operations for a financial issue, which is nothing new for malware today.

Related Information
Masiva campaña de propagación/infección lanzada por Waledac utilizando como excusa el día de la Independencia de EEUU
Estrategia BlackHat SEO propuesta por Waledac
Waledac. Seguimiento detallado de una amenaza latente
Más Waledac en acción ¿Puedes adivinar cuánto te amo gano?
Waledac más amoroso que nunca
Waledac e Ingeniería Social en San Valentín

# Jorge Mieres


Anonymous said...

I think you mean a Waladec host can send 150,000 emails a day. The botnet itself can send many more than that...

Jorge Mieres said...

Hi!, indeed, the equivalent of sending 150,000 per day from a single zombie, not the waledac botnet complete :-)