Storm Worm Reincarnates As Waledac

SecurityProNews
Staff Writer
2008-12-31

Shadowserver has issued a detailed analysis of a malware variant called Waledac, and the crew there suspects it is a form of Storm Worm, spread via fairly sophisticated means.

Storm Worm Reincarnates As Waledac

Over the past couple of weeks, those with mal intent have attempted to spread the Trojan via email, alerting the recipient to a holiday greeting card a friend has supposedly sent them. Clicking on the link provided leads the victim to a website, where, you can guess, attempts to upload the virus via a JavaScript reference pointing to "google-analysis.js."

If Microsoft is the most targeted in terms of exploits, Google seems lately the object of abused trust.

The exploit loads a page from seocom.mobi, from where it gets commands. However, the network is fairly complicated in that it also uses fast-flux domains, domains that resolve constantly to different IP addresses. Further analysis suggests a peer-to-peer network setup that masks the origin.

Steven Adair writes, "It would seem that web servers nodes forward on and send traffic to other web server nodes effectively working in a peer-to-peer network. As our friend ‘W' calls it.. HTTP2p. There is certainly a back end mothership somewhere, but it does not seem that infected web nodes talk directly to it or at least not every time. It is also interesting to note that if the trojan does not successfully connect to any of its seed IPs for ten minutes it will then attempt to grab a php file from one of the domains that is hard coded inside the binary."

All of this bares a striking resemblance to Storm Worm, fast-flux network, multiple name servers, use of ecard.exe and postcard.exe file names, among others. In addition to not clicking links from email and having an antivirus program running at all times, Adair recommends a long list of domains to block, including:

bestchristmascard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
holidayxmas.com
itsfatherchristmas.com
justchristmasgift.com
livechristmascard.com
livechristmasgift.com
mirabellaclub.com
mirabellaonline.com
newlifeyearsite.com
newmediayearguide.com
newyearcardcompany.com
newyearcardfree.com
newyearcardonline.com
newyearcardservice.com
superchristmasday.com
superchristmaslights.com
superyearcard.com
themirabelladirect.com
themirabellahome.com
whitewhitechristmas.com
yourchristmaslights.com
yourdecember.com
youryearcard.com

About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.

More insider_reports_insider Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials