New Versions of Waledac Botnet/Storm Worm Uncovered in Massive Spam Campaign

There's a new spam campaign security researchers believe to be the result of a new version of either Waledac Botnet or Storm worm and it was uncovered by Shadowserver, a volunteer group of security professionals.

The group Shadowserver and their security experts have tracked a massive influx of spam messages over the holidays resembling a campaign initiated by the infamous Waledac botnet or Storm worm. After further examination of this spam campaign, mostly consisting of holiday e-card scam emails, experts at Shadowserver believe that it could be the work of a newer variation of Waledac or Storm worm.

We released a removal report on the Waledac back in 2009 and this botnet threat was commonly used to attach fake holiday e-cards for the purpose of spreading malware links. These malware links, similar to the ones in the recent discovery made by Shadowserver, lead computer users to sites that offer videos. In order for users to view these videos, the site asks them to update Adobe Flash, which prompts them to download a malicious executable file. What is believed to be a newer version of Waledac or Storm, has linked computer users to several hacked websites hosting HTML pages that refresh to different malicious domains. Just last year, the Storm worm (or Botnet) made a return with different and rather complex functionality. This is a whole new ballgame that we could be witnessing, where the malicious domains are able to update IPs (Internet Protocol addresses).

Several of the spam emails in the uncovered spam campaign so far have closely resembled the ones in Figure 1 and Figure 2 below with only subtle changes in the subject lines reading "You've got a Happy New Year Greeting Card!" or "Have a happy and colorful New Year!"

Figure 1. - Screen shot of Spam email from fake Honda Puerto Rico address with a malicious link.

Figure 2. - Screen shot of 'Happy New Year' Spam email with a malicious link.

If one of the websites embedded in the Spam message's link is visited, it would redirect a user to hxxp://leolati.com. This site uses what is called a 'fast flux' domain (a technique used by botnets to hide malicious websites behind a changing network of compromised sites) which is one that will frequently choose a new IP address each time it is resolved. Furthermore, the site has a TTL of 0 (time to live = time limit on the number of requests before a site is re-cached), which will instruct the name server to avoid caching the result thus continually changing the IP address. This is something commonly seen with other variants of Waledac and Storm.

We have seen how complex the nature of botnets can be in the past. If there is such a thing as a new version of the Storm worm or Waledac botnet, then many vulnerable computer users could be in for a 'Storm' of spam messages. It is promising to know that the latest spam messages in this spam campaign are nothing new to us, which means computer users should not have a hard time identifying them as spam.

Even though the holiday season has concluded, we may still see a return of e-card email scams during the next holiday this year as a new version of Waledac and Storm prove to be more effective.