Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Several reports have been recently released on a certain spam run that bears a resemblance to the infamous WALEDAC worm, which wrought havoc in 2008. According to ShadowServer who first reported the threat, the attack was similar to WALEDAC attacks due to the use of spam, fast-flux domains, and changing binaries, among other reasons. This led to the conclusion that this attack was conducted by the very same people behind WALEDAC.

    It’s not yet clear if these attacks are really tied to the same individuals behind WALEDAC. What we found, however, is that the threat used tactics similar to those used by WALEDAC.

    We first encountered this threat on December 29 last year when we received and blocked spam messages with a short yet very timely message.

    Click for larger view

    This type of attack was used by WALEDAC several times. The use of e-cards and the holidays as social engineering ploys are also not unusual.

    The messages contained a URL that varied and leads to yet another simple page that asks the recipients to download a fake Adobe Flash Player, which is actually a Trojan detected as TROJ_KELIHOS.DLR. The said Trojan downloads another file detected as WORM_KELIHOS.SM.

    WORM_KELIHOS.SM is a spamming malware that sends the very same messages that spread TROJ_KELIHOS.DLR. It uses a well-defined “template” for its messages that utilize random combinations of names, subjects, and phrases to try to make them appear to have been sent by a human.

    Like previous WALEDAC variants, WORM_KELIHOS.SM communicates via a peer-to-peer (P2P) mechanism. However, we can find information about this far more easily than usual because of a very unusual feature—WORM_KELIHOS.SM has an unusually sophisticated logging feature. If it is executed with a special command-line parameter—”/loggs99“—it produces a rather in-depth log of its behavior, a snippet of which is shown below.

    Click for larger view

    The log describes, in some detail, the P2P behavior that WORM_KELIHOS.SM exhibits, particularly how it attempts to connect to already-infected machines. If it is successful in doing so, the log also shows how it updates the list of infected machines it already knows about.

    This sort of behavior is highly unusual. Malware authors generally prefer to hide a malware’s behavior and not advertise it. One can therefore wonder why this sort of behavior made it to an in-the-wild malware variant. It’s possible that this means that this particular malware family is still being developed and that its creators intend to make improvements to it down the road.

    We can’t conclude with 100 percent certainty that this new attack is from the creators of the original WALEDAC spam botnets. However, it does appear that a new spamming botnet is in the initial stages of development. Whether this new botnet can be considered WALEDAC’s successor is something that’s still up for debate.

    What users should be aware of is that the “classic” tactics first used by WALEDAC in spam are still around.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Sotheby it support

      I haven't seen any spam messages like this getting through our servers yet. I wonder whether it's country specific at the moment.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice