In the February 25th edition of this Blog, Watch Out For Coupon Offers, we described how the Waledac malware family was being distributed in spam pretending to be from "The Couponizer". One of the unique additions to that campaign was that the criminal was using a GeoLocation service on his website to customize the website to reflect the location of your computer.
So, in my location, the headline reads "Powerful explosion burst in Birmingham this morning.", but that is because the criminal has resolved my originating IP and determined I was in Birmingham, Alabama.
In today's version of the Waledac spam, we see the same brief emails which were used in the Valentine's Day and Couponizer Waledac campaigns. A small phrase as the subject line, such as:
Haven't you been there?
I hope you are in good health
What a tragedy!
Take care about yourself!
and another small phrase in the body, such as:
Are you and your friends ok?
How do you feel?
I worry about you
We worry about you
followed by a link to a website, ending in "main.php" or "run.php" or "contact.php", or with no filename at all - just the path.
Clicking on the video controls will prompt for the download of an executable - "news.exe" in my case, which would join your computer to the spamming botnet.
VirusTotal gave a 7 of 39 detection rate for this malware.
click here for VirusTotal Report.
For whatever reason it seems that NOBODY is shutting down the Waledac domains. We reviewed 57 recent and current Waledac domains, and found that only six of them were not currently resolving.
Here is the list of domains associated with Waledac:
You can clearly see that some are "News", some "Coupon", and some "Valentine" related, but they are almost all still active and still infecting people's computers in an attempt to regrow the Waledac spamming botnet.
The domain names use only four different identities in their WHOIS data:
email@example.com (Yan Shi Ying)
firstname.lastname@example.org (Zhao Jun Hua)
email@example.com (LiPaul Kunshan Yunshu Gongsi)
firstname.lastname@example.org (Zhang Min)
We don't know the size of the Waledac spamming botnet right now, but we were able to quickly make a list of more than 1,200 machines which are currently "hosting" the webservers used by the malware. I've made a file available of 1,235 IP addresses currently hosting Waledac web proxy servers, but that is only a tiny sample of the overall population. Domain owners will find the IP addresses sorted by Country Code, then ASN/Organization, and then IP. Country codes of the bots include:
AR, AU, BA, BE, BG, BR, BS, BY, CA, CH, CI, CL, CN, CO, CS, CZ, DE, DK,
EE, ES, EU, FI, FR, GB, GE, HK, HU, IE, IL, IN, IR, IT, JP, KR, KZ, LT,
LV, MA, MD, MK, MY, NL, NO, PH, PL, PT, RO, RS, RU, SE, SI, SK, TH, TN,
TR, UA, US, UY, VN, and ZA.
(Quiz yourself - How many of those country codes do you know?
Need to cheat? - list of country codes)
The distribution of infected machines in my little snapshot is quite diverse. More than 300 networks from 60 different countries, with no network having more than 60 of the 1,235 machines on my list.
The top networks in my unscientific snapshot were:
59 machines - ComCast ASN 7922 (USA)
58 machines - Proxad ASN 12322 (France)
54 machines - Rogers Cable ASN 812 (Canada)
52 machines - AT&T ASN 7132 (USA)
51 machines - NTL Group ASN 5089 (Great Britain)
44 machines - Shaw Communications ASN 6327 (Canada)
34 machines - Charter Communications ASN 20115 (USA)
27 machines - ComCast ASN 33491 (USA)
26 machines - Road Runner ASN 11427 (USA)
20 machines - ComCast ASN 33278 (USA)
The full list is available as an Excel spreadsheet or as a CSV file.