Wednesday, April 29, 2009

Waledac Moving on to . . . Canadian Pharmacy?

After monitoring the Waledac "infection domains" for more than a month, our last "interesting" event was the change in Look & Feel to the SMS Spy Program which we wrote about back on April 15th. In that blog article we mentioned that basically ALL of the domains used by Waledac, through the Valentine's Day campaign, the Couponizer campaign, the Terror Alert campaign, and the SMS Spy campaign, were all still alive!

Here's the newest change. ALL of the Waledac infection domains have now morphed into pill sites, and MANY of the older Waledac domains have finally been terminated.

Here's where stand with live FORMER Waledac domains. Many domains from the "Terror Alert" and "SMS Spy" alert are now forwarding on a random basis to domains which are either hosting Canadian Pharmacy or Canadian Health & Care Mall.

Of the Waledac domains that we were tracking, the following are now live forwarding domains:

"Canadian Health & Care mall" at
"Canadian Health & Care Mall" at
"Canadian Health & Care mall" at

"Canadian Pharmacy" at
"Canadian Pharmacy" at
"Canadian Pharmacy" at
"Canadian Pharmacy" at

The following Waledac domains now appear to be terminated:

Tuesday, April 21, 2009

President Obama's CTO: Aneesh Chopra

Photo From
Like so many others who were playing the guessing game regarding President Obama's new CTO, I was wrong. I take comfort in failing along with BusinessWeek, ZDNet, Forbes, TheStreet, The Wall Street Journal and others to guess who would fill the office.

We might have taken a hint from one of President Obama's recent speeches to Congress, where he said:

"Our recovery plan will invest in electronic health records and new technology that will reduce errors, bring down costs, ensure privacy, and save lives."
-- (Transcript 24FEB09

Aneesh Chopra's bio on his Virginia website points out that he chairs the "Solutions Committee of the IT Investment Board, the Effectiveness and Efficiency Committee on the Council on Virginia's Future, and co-chairs the Healthcare IT Council". He was awarded the Healthcare Information and Management Systems Society's 2007 State Leadership Advocacy Award, and was named one of the top 25 by Government Technology magazine's Doers, Dreamers, and Drivers magazine.

In 2006, interviewed Mr. Chopra on his new position as Secretary of Technology for the Commonwealth of Virginia. His answer to the question "What is your background?" lines up well with President Obama's vision for secure electronic healthcare records:

ExecutiveBiz: What is your background?

Aneesh Chopra: Professionally, I am a managing director at a think tank with a focus for the health care industry, but a big portion of my professional background has been studying ways that technology can fundamentally transform the healthcare industry in particular. Also, I internally helped launched the Advisory Board's first software-based membership business. So not only have I been researching technology and how I can benefit the healthcare industry, I have been business development wise active in the use of technology to grow our own business.

It was clear from his work in the job though that Health Care was not his only focus. Here were some answers regarding educational technology, another area on which the Secretary turned his attention while in office in Virginia, from one of the 46 Podcasts his office put out during his time there: (03/25/09 - Secretary Chopra discusses technology in the classroom --

We have an innovation imperative in the Commonwealth, and frankly for the country, and it requires us to think anew about how we produce students who are globally competitive. There are three basic questions we have to ask:
What are we actually teaching our kids?
How are we teaching our kids?
What are the tools with which we can allow the sharing ideas and the process of learning how to teach our kids?
In each of these areas there is a place for technology to play a role, in some cases a direct role, and in other cases more of an indirect role.

In his 2007 Accomplishments podcast (January 9, 2008) he stressed three Public/Private Partnerships, including:

a Google partnership to produce Google SiteMaps of 55 government websites, mapping more than 200,000 state webpages to increase their ability

Microsoft Virtual Earth helped create Campus Safety maps to help identify resources and plans for various emergencies on campus as a reaction to school shootings.

Cox and Comcast Cable began offering "GED On Demand" for free to more than 1 million broadband subscribers in Virginia.

1 of 3 new jobs created in Virginia came from high-tech jobs, and 30% of all wage-earners in Virginia received their pay from a technology related job.

5 innovators in HealthCare IT, 3 of which provided an 8-fold return on the investment. The Virginia HealthCare Exchange Network was created as part of the initiative.

Many other initiatives were described, making this podcast well worth listening to in order to learn more about how our nation's new CTO thinks about Technology. Many of these initiatives were grant-generated, by placing challenges into the community and asking for innovators who have solutions to step forward to address government productivity, broadband, and government IT.

To summarize what I see about Aneesh Chopra - he's proven that he knows how to solicit ideas from innovators, shape them into actual solutions, and roll them out as successful products. He did it in the business world, he did it in his HealthCare IT think tank, and he did it for the State of Virginia. I look forward to seeing what he can do for our nation.

I'm especially interested to see what types of reforms a technology thinker can bring to our Criminal Justice systems! At UAB Computer Forensics our partnership between Computer Science and Justice Science is based on the concept that when Computer Scientists are presented with Criminal Justice problems, good technology things can happen. Hopefully this will be one of our new CTO's priority areas as well.

Wednesday, April 15, 2009

Waledac shifts to SMS Spy program

We've known that Waledac spreads itself via Social Engineering - convincing users that they WANT to download a program. Recently we've seen Waledac acting as a Valentine's Day E-Card, a Couponizer program, and a Fake News Story about a Dirty Bomb.

Today the UAB Spam Data Mine began to get spam messages for a new Social Engineering trick. Here are some of the email subjects we're seeing:

Read his SMS
The world's most advanced sms reading program
Now, It's possible to read other people's SMS
Read other people's SMS online
You can read anyone's SMS

The email bodies point to the websites with lines like these:

Do you trust her?
You can read anyone's SMS
Do you really trust her?
Do you really trust him?
Are you ready to know the truth?
Are you sure you want to know?

The webpage you visit looks like this:

The malware which you can download from the page is recognized by 13 of the 39 Anti-Virus products tested according to this VirusTotal Report.

File size: 419840 bytes
MD5...: 8623f18666be9d480710b29eab3b796a

The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever. If you have good contact information for "", we really could use an introduction, thank you! No one answers their "" email address, but perhaps a Chinese speaker might call them at +86.5922669769 ? ? ?

The complete list of NEW domain names created for this round of Waledac are:

But a great number of the previous domains are also still live, and still serving Waledac, including:

If you have contact at, these ALL need killed, thank you! They are all now distributing the new "SMS Spy" version of Waledac.

Monday, April 13, 2009

New Drug sites avoid Visa and MasterCard, Sell Hydrocodone

Those who research Pharmaceutical spam have learned that there are basically two major classes of drugs. Those which the Feds care about stopping (Controlled substances monitored by the DEA) and those the Feds are happy to ignore, and which they call dismissingly "Lifestyle Drugs".

Its quite frustrating in light of the fact that, as Microsoft pointed out recently in their semi-annual report on Internet safety, 97% of the email on the Internet is spam, and HALF of that email is pharmaceutical spam. For someone to decide that its not worth investigating lifestyle drugs (by which they mean Viagra, Cialis, and other sexual-experience related drugs) as vigorously as we investigate "Controlled Substances" has lead to our current status on the Internet as a world flooded with absolutely uncontrolled drug spam.

Nevertheless, knowing that there is a two-tiered system of investigation related to pharmaceutical spam, we've all learned that the way to get action is to point out sites that are selling things that are on the Class I, Class II, Class III, or Class IV Controlled Substance List.

Side Note - if you are looking for a Computer Forensics Research program interested in making an impact on pharmaceutical spam, that has as partners in its "Computer Science/Justice Science Working Group" forensic criminologists with their own Gas Chromotography Mass Spectrometer (GS/MS), and faculty and grad students trained in its use, please look no further than the University of Alabama at Birmingham.

That's one of the two reasons why this new spam cluster is especially interesting to me. We have more than 1450 spam emails in the UAB Spam Data Mine during March and another 1,069 so far during April that contain the word "Hydrocodone" in either the body or the subject. The subject line in today's case actually says "Hydrocodone For You", and pointed to a pharmacy site here:

which leads with Hydrocodone, Vicodin, Phentermine, Ambien, Valium, and Levitra. They have quite a few alternate payment methods, but most notably they do NOT accept Visa or Mastercard:

By accepting electronic checks, direct bank transfers, and Western Union payments, these dealers in fake drugs can move their money even faster than they move their drugs. The world of money laundering possibilities opens wide once you get Visa and MasterCard off the option list. That should also make it pretty clear to the potential buyers. This vendor wants to move your money Quickly, Untraceably, and most importantly Irreversibly. They want to make sure they get your money NOW, even though you may (or may not) get your drugs later, and that even if you do NOT got your drugs, there is no way your going to get your money back, or even figure out where your money went.

This particular domain was registered on March 20th via XIN NET Technology.

The IP is at - Hanaro telecom, Korea

This is not a new IP address to us at the UAB Spam Data Mine.

March 23 - (1 spammed domain)
March 24 - (13 spammed domains)
March 25 - (16 spammed domains)
March 26 - (50 spammed domains)
March 27 - (42 spammed domains)
March 28 - (42 spammed domains)
March 29 - (42 spammed domains)
March 30 - (64 spammed domains)
March 31 - (75 spammed domains)

(I'll update those stats with April data once its been caught up...)

The Hotmail address in the whois data is =

Two hundred other hyphenated domain names are on the same Hanaro IP address, according to DomainTools:

Over the weekend, a new Hydrocodone cluster emerged, distinct from the one above.

The new cluster used the following domain names in more than 1500 emails just over the last weekend:

The new cluster looks like another Viagra site at first:

but scrolling down, we see it really is selling Hydrocodone and other Class II and Class III Controlled Substances:

As with the first cluster we mention, Visa and MasterCard are conspicuously missing from this site. It now accepts ONLY American Express:

Fortunately, they are concerned about the High Incidence of Fraud. 8-) Haha!

Thursday, April 09, 2009

Is There a Conficker E? Waledac makes a move...

At UAB Computer Forensics, we have been tracking the spam bot, Waledac, since March 19th, by checking every so often (like 4 times a minute) all of the domain names that we now are being used to distribute Waledac. We've been making a list of the infected nodes, with the timestamp that we see them distributing Waledac, and offering that list to various network providers. (If you are a network provider/ISP, send me an email to get a pointer to the list, there are around 4,000 US-based IPs on it so far.)

This morning, Packet Ninja Dan Clemens gave me a call asking if I had seen Trend Micro's claim that Conficker was updating. I hadn't seen that, but I had seen emails on one of my secret squirrel mailing lists that Conficker was updating from "". That didn't make any sense at all to me! We've seen 2,821 IP addresses serving up "plain ole' Waledac" from GND, so far. (See

Just to make sure, I went ahead and fetched the current Waledac binary from one of the websites, and sure enough, it was Plain Ole Waledac.

MD5: 20ac8daf84c022ef10bc042128ccace6

Currently detected by only 9 of 40 products at VirusTotal

Here's the VirusTotal Link, but the details are here:

AntiVir - TR/Crypt.ZPACK.Gen
CAT-QuickHeal - DNAScan
F-Secure - Packed:W32/Waledac.gen!I
Fortinet - W32/PackWaledac.C
McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen
Microsoft - Trojan:Win32/Waledac.gen!A
NOD32 - Variant of Win32/Kryptic.LP
Panda - Suspicious file
Sophos - Mal/WaledPak-A

A sad statement of the current state of anti-virus, that a KNOWN MALWARE DISTRIBUTION POINT that has been serving up viruses since mid-March for a large spam botnet is still entirely undetected by 3/4ths of the AV products!

But it gets worse.

I went and read Trend Micro's assertions on their blog . . .

According to Trend Micro they saw new malware arrive on one of their conficker boxes, being dropped not via a website update, as we've all been expecting, but via a Peer 2 Peer connection from other Conficker machines. The new malware arrived via P2P on their box and began attempting to propagate in worm-like fashion looking for MS08-067 vulnerabilities (the same as previous versions of Conficker), as well as opening a webserver on port 5114, and making connections to Myspace, MSN, eBay, CNN, and AOL. After this, the machine downloaded a file from, which is, as I mentioned above, a Waledac distribution point.

The file that it downloads though IS NOT THE PRIMARY WALEDAC MALWARE. We retrieved the same file in our labs at UAB (forgive me, but the file is named "fuck4.exe"), and scanned it with VirusTotal as well. This is NOT the file you receive if you visit the Waledac host, as we decribed above, via a normal spam-referred website visit.

Here's what we got from "fuck4.exe" at VirusTotal:

ZERO products detect this as malware. NONE of the 40 sites thought the 418kb executable file was a virus.

VirusTotal Report

Trend is calling the new variant WORM_DOWNAD.E (DownAdUp is an alias for Conficker).

The Trend article certainly has caused some deep thinking here this morning! Thanks to Ivan Macalintal at Trend, and because he thanks Joseph Cepe and Paul Ferguson, we thank them as well!

Wait, why are we thanking Paul Ferguson? I had to go find out. Its because of his excellent documentation on the Peer2Peer nature of Conficker in the Trend Blog on April 4th. While the entire world began watching on April 1st for Conficker to be updated via new malware that was placed on one of the 50,500 domain names that began to be searched on April 1, the bad guys have snuck in the back door and updated Conficker via P2P instead.

Paul got a head start on his Peer to Peer research from the excellent malware researchers at CERT-LEXI in their Blog at CERT-LEXSI.

We'll be contacting more Conficker researchers as the day goes on and trying to determine if ALL the Conficker nodes have just merged with Waledac, or if something else is occurring here.

Wednesday, April 08, 2009

Microsoft Security Intelligence Report 2H08

The Microsoft Security Intelligence Report for the second half of 2008 has been released (the 184 PDF version, available from is timestamped the evening of April 6th). We reported on the last SIR report back on November 11, 2008 - please see Microsoft Reveals Malware and Spam Trends for our coverage of that report.

Number of Security Vulnerabilities

52% of the Security Vulnerability announced throughout the industry, via the Common Vulnerability Scoring System were of "High" criticality, while 56% of them were "Easy to exploit". 90% of the industry vulnerability announcements related to applications or browsers. Only 10% dealt with Operating Systems.

Microsoft released 42 Security patches during the 2H08 period.


More than 97% of the email sent across the Internet during 2H08 was unwanted! They have malicious attachments, they are phishing emails, or they are just plain spam. As all of us already suspected 48.6% of all the spam observed during 2H08 was for pharmaceutical products. Another 23% were for non-pharmacy product advertisements.

Notice that the Stock Pump & Dump spam almost disappeared. What would they sell if we could do the same thing to pharmacy spam?

The report also calls attention to the demise of McColo as being the big enforcement action of the year. This section of their report is called "Spam Volume Drops 46 Percent When Hosting Provider Goes Offline". The spam level at the end of December was still lower than the pre-McColo action on November 11th.

Browser Drive-By-Infections

About 1 in 1500 websites (more than 1 million) indexed by Live Search (Microsoft's answer to the Google search engine, available at contained a drive-by-download page. More than 1% of websites with a ".cn" country code hosted drive-by-download exploits. When they looked at the products that were being exploited in these driver exploits, #1 and #2 were Adobe Flash and RealPlayer.

(from p.48 of the Microsoft SIR report for 2H08)

On Windows XP machines, browser exploits targeted a Microsoft product 40.9% of the time. On Windows Vista machines, successful browser exploits targeted a Microsoft product only 5.5% of the time. This is one of many places throughout the document that Microsoft reminds us that Vista is a more secure operating system than XP.

In the first half of 2008, most compromised browsers were running Chinese language set (zh-CN = 25.6%). In the second half of 2008, American English language browsers easily passed them (en-US = 32.4%).

Social Engineering

The SIR report makes a point that the criminals today are having great success with social engineering targeting Fear, Trust, and Desire. Rogue Security Software did so well, because people are afraid of viruses.

Of the Social Engineering attacks that were based on an infected Microsoft Office File program, 91.3% of the attacks used the more than two year old exploit, CVE-2006-2492 MS06-027 to infect users via a Microsoft Word document. Curiously only 32.5% of these infected Word documents targeted en-US machines. 15.7% targeted Taiwanese machines, 12% Russian, 11.1% other Chinese machines, and 2.6% Iraqi machines.

Two Adobe PDF reader exploits also became popular in 2H08, spreading strongly and increasingly from October until the end of the year. 57% of the Adobe attacks targeted en-US machines. China didn't make the top ten on that list.

One important note regarding corrupt Office documents. Microsoft's SIR report recommends that users *NOT* run "Windows Update", but rather run "Microsoft Update". Applying Windows Update will never prompt you to install Microsoft Office patches, which may be why so many machines are still vulnerable to two year old malware. The report recommends that users read this entry:

How Is Windows Update Different Than Microsoft Update?, and make the appropriate changes on their machines.

Security Breaches

The report also makes clear that the trend has continued - most security breaches are accomplished not through "hacking" (though more than 15% are), but through stolen or lost equipment, usually laptops.

Geographic Trends

In 2H08, 13.2Million US computers were cleaned by Microsoft's anti-malware desktop products.

(source: SIR report p. 69)

For more details, please see the full SIR report.