Back in February, the infamous WALEDAC botnet had been shut down with the takedown of its command-and-control (C&C) servers. However, in recent weeks, it seems to be making a comeback of sorts.
In the past few weeks, there has been something of an increase in the number of spammed messages delivering malicious attachments to users. One of the earlier variants we have seen poses as an annual “Social Security” statement.
Other hooks used resumes and job offers, weddings, and even a puzzle.
Using malicious attachments is a very popular method used to spread malware via email. However, we’ve seen many recent attacks that use almost-identical payloads. Two variants have been seen with a malicious attachment either being a FAKEAV variant like TROJ_FRAUDLO.LO, TROJ_FAKEAV.SGN, and TROJ_FAKEAV.FGZ or a downloader that also leads to FAKEAV and BREDOLAB variants.
Some of these downloaders, however, use malware that are part of the WALEDAC family. For example, the downloader associated the Social Security spam attack is TROJ_WALEDAC.AIR, which in turn downloads TROJ_FAKEAV.ZZS and TROJ_BREDOLAB.WV.
This may be a surprise to some readers, as it was reported back in February that the WALEDAC botnet has been taken down. It should be noted, however, that what has been taken down was only WALEDAC’s sophisticated C&C mechanism. Multiple parties are involved in many cybercriminal attacks. For instance, one party may have written the code, a second spreads the malware and controls the C&C server, and a third uses the botnet to carry out spam campaigns using an email list supplied by a fourth group. It’s likely that in this case, WALEDAC code, whether new or old or repurposed, was reused to serve as a malware downloader.
With this in mind, it’s easy to see how WALEDAC is making a comeback of sorts even if its main C&C servers have been removed from the picture. Even if you can deal with one aspect of a threat, others can still cause problems down the road.
Trend Micro detects these emerging BREDOLAB, FAKEAV, and WALEDAC variants using the detection names mentioned above. In addition, the above-mentioned spam are already being blocked by Trend Micro products with the aid of Smart Protection Network™. A white paper looking at the behavior of the original WALEDAC botnet may also be found here.
View full post on TrendLabs | Malware Blog – by Trend Micro
Related Posts
- BREDOLAB Spreading via Malicious Attachments
UPDATE: Following deeper analysis of this threat by senior threat researchers, TrendLabsSM has reclassified the malware used in this attack as a BREDOLAB variant (detected as TROJ_BREDOLAB.JA) instead... - FedEx-package malicious spam again (still)
Oh sure! Print out the attachment. Pay no attention to what’s inside the .zip file!Here’s what was left inside the .zip file after our Ninja Blade email security installation scanned it:If... - Spreading malicious links through the ‘Like it’ feature in Facebook
As much as I loathe Facebook, I can’t deny the fact that it’s too popular to ignore it. I do have an account on there, but I don’t really spend much time social networking… As ... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - Yahoo! PH Purple Hunt 2.0 Ad Compromised
Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.Curious as I am, I clicked on the ad and surprisingly my browser downloaded a sus... - Facebook Events, Credits, and Passwords Being Used for Attacks
Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to repl... - Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - UPS Malware attachments.
From last few days we have seen a significant increase in the activity related to spam E-mail messages. One of cause of rise is due to malware being heavily distributed by emails as an attachment. The... - “Worm.Ckbface.adj” spreading via Yahoo Messenger
A "Worm.Ckbface.adj" is spreading via Yahoo Instant Messenger ,that tricks people into downloading what they think is a pictures from a friend but is instead malware that installs a backdoor on Wind...
