Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Yesterday's New Year email post is Storm/Waledac

View all posts > 

Yesterday's New Year email post is Storm/Waledac

Posted: 31 Dec 2010 09:50 PM | Patrik Runald | no comments


Yesterday's post titled "New Year themed Malicious Email on the Prowl" and the emails mentioned were an early campaign done by what's now believed to be Storm v3 or Waledac v2. As our friends over at ShadowServer mention the campaign has now changed to be much more basic:

The URL in the email leads to lots of different sites, all compromised, where the user is immediately redirected using a <meta refresh> tag to one of the following domains:

 

bethira.com
bitagede.com
cifici.com
darlev.com
elberer.com
envoyee.com
leolati.com
makonicu.com
scypap.com
suedev.com
teddamp.com

 

Once on that page the user is presented with a really simple page that just asks them to download a fake Adobe Flash player:

 

 

This simple page is not really what we've come to expect from Storm/Waledac who in previous attacks have used professional looking websites very relevant to the theme they've used. Here are some example:

 

Halloween theme

NFL theme

Krackin' theme

Kitty Greeting Card theme

 

In very few cases we have seen the page contain an obfuscated JavaScript that try to use exploits to push the file to the user's PC. In most cases however the user is redirected again after 5 seconds, this time to a site that serve exploits although this site is not available right now.

 

A few other noteworthy things about this attack:

  • The domains it uses to serve the malware are fast-fluxing which means that when you request the URL it redirects to you a different IP address every time
  • The file itself is either server-side generated or just updated very frequently
  • AV coverage is pretty bad - 6/42 (14.3%)

 

The spam campaign itself is still ongoing and we'll keep monitoring this over the weekend to see how if the attack changes.


Filed under:

Leave a Comment

(required)  

Email address: (required)