Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
    • About Us
    Trendlabs Security Intelligence > Waledac Localizes Social Engineering

    The Waledac gang continues to improve on Storm’s tried and tested spamming technique. Fake news and alarming headlines are standard Storm email contents since the botnet’s most notorious variant, NUWAR, started sending out messages warning users of looming nuclear wars.

    Waledac recently started a new spamming operation using that same old social engineering technique:

    Figures 1, 2, and 3. Sample spammed messages.

    The links in these messages lead to malicious websites where Waledac variants are eventually downloaded. What’s new here is that these websites are engineered to vary according to the location of the email recipient. Users are explicitly told that an explosion happened in their respective cities:


    Figure 4. A user in the Philippines would see this localized malicious website.

    Trend Micro Advanced Threats Researcher Paul Ferguson explains that this is done by using GeoIP to determine the location of the victims who surf to a booby-trapped server hosting the bogus news website. The spammed messages themselves have generic content, but the sites they point to modify the city names in the headline depending on the IP location of the user. This serves as an effective social engineering technique in an attempt to sow fear and paranoia.

    However, this is not the first time Waledac attempted to use this localization technique, according to Advanced Threats Researcher Joey Costoya, Waledac has been using this GeoIP functionality back in February, when the botnet sent fake coupons. A user from Manila would see the following:


    Figure 4. Malicious website.

    Users from other regions would see another. Because the threat is localized and is made to look more personal, the possibility of users actually believing the content of the sites is increased.

    Trend Micro’s current detections include WORM_WALEDAC.NYS and WORM_WALEDAC.CRV. The Waledac family is known for harvesting email addresses and sending then to several IP addresses.

    The Smart Protection Network also blocks Waledac websites. Our engineers are analyzing this threat further. We will update this post as soon as more information becomes available.

    Other Waledac entries:

    • WALEDAC Spreads More Malware Love
    • WALEDAC Loves (to Spam) You!
    • Fake Obama News Sites Abound




    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Monday, March 16th, 2009 at 4:52 pm and is filed under Botnets . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice