Several reports have been recently released on a certain spam run that bears a resemblance to the infamous WALEDAC worm, which wrought havoc in 2008. According to ShadowServer who first reported the threat, the attack was similar to WALEDAC attacks due to the use of spam, fast-flux domains, and changing binaries, among other reasons. This led to the conclusion that this attack was conducted by the very same people behind WALEDAC.
It’s not yet clear if these attacks are really tied to the same individuals behind WALEDAC. What we found, however, is that the threat used tactics similar to those used by WALEDAC.
We first encountered this threat on December 29 last year when we received and blocked spam messages with a short yet very timely message.
This type of attack was used by WALEDAC several times. The use of e-cards and the holidays as social engineering ploys are also not unusual.
The messages contained a URL that varied and leads to yet another simple page that asks the recipients to download a fake Adobe Flash Player, which is actually a Trojan detected as TROJ_KELIHOS.DLR. The said Trojan downloads another file detected as WORM_KELIHOS.SM.
WORM_KELIHOS.SM is a spamming malware that sends the very same messages that spread TROJ_KELIHOS.DLR. It uses a well-defined “template” for its messages that utilize random combinations of names, subjects, and phrases to try to make them appear to have been sent by a human.
Like previous WALEDAC variants, WORM_KELIHOS.SM communicates via a peer-to-peer (P2P) mechanism. However, we can find information about this far more easily than usual because of a very unusual feature—WORM_KELIHOS.SM has an unusually sophisticated logging feature. If it is executed with a special command-line parameter—”/loggs99“—it produces a rather in-depth log of its behavior, a snippet of which is shown below.
The log describes, in some detail, the P2P behavior that WORM_KELIHOS.SM exhibits, particularly how it attempts to connect to already-infected machines. If it is successful in doing so, the log also shows how it updates the list of infected machines it already knows about.
This sort of behavior is highly unusual. Malware authors generally prefer to hide a malware’s behavior and not advertise it. One can therefore wonder why this sort of behavior made it to an in-the-wild malware variant. It’s possible that this means that this particular malware family is still being developed and that its creators intend to make improvements to it down the road.
We can’t conclude with 100 percent certainty that this new attack is from the creators of the original WALEDAC spam botnets. However, it does appear that a new spamming botnet is in the initial stages of development. Whether this new botnet can be considered WALEDAC’s successor is something that’s still up for debate.
What users should be aware of is that the “classic” tactics first used by WALEDAC in spam are still around.