Valentine's Day is not just for lovers; it's for malware writers, too. At the center of the recent surge in spam related to Valentine's Day is the Waledac botnet, successor to the Storm botnet, but other botnets have joined the fray as well, security researchers warn.
Valentine's Day may be a time for love, but spammers and malware writers are
having their fun too.
While reports of the percentage of spam related to Valentine's Day versus
overall spam have been varying somewhat from vendor to vendor, what the
security community seems to agree on is that a botnet
is at the center of the spam campaign.
According to Web and e-mail security vendor Marshal8e6, at least two other botnets have joined the fray as well, however. Researchers
at Marshal8e6 have seen three distinct campaigns from three different
botnets, as well as spam attacks from botnets they have not yet identified.
Click here to read about the state of spam-delivering botnets after the shutdown of Web hosting service McColo in November 2008.
Most of the Valentine's Day-related spam is coming from Waledac, which
appeared on the scene late in 2008. Security pros now believe the botnet is the
work of the minds behind the infamous Storm botnet that made headlines in 2007.
After being targeted by Microsoft's Malicious Software Removal Tool, Storm
limped through most of 2008 before disappearing completely in September, said
Patrick Murray, director of product management at Marshal8e6.
In its place came Waledac, which emerged in December with a blended threat
Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection
model with fast-flux DNS (Domain Name System) hosting and encrypted communications.
Today, researchers speculate that Waledac may comprise as many as 20,000
"Waledac currently accounts for less than 1 percent of all the spam we
are seeing, so it is small when compared to botnets such as Xarvester and
Mega-D, but it is very active in sending spam with blended threats. ... In
January it was used to send fake news malicious spam declaring that Obama was
abandoning the Presidency just ahead of his inauguration," Murray
"So far, the modus operandi of Waledac spam is remarkably similar to
how Storm was operated," he said, adding it relies on large e-card and
fake news email campaigns.
In addition to Waledac, the Pushdo botnet and others have joined in
with their own Valentine's Day campaigns.
"We have observed more than a dozen variations of the Waledac
Valentine's threat alone," Murray
said. "There are a similar number of variations coming from the Pushdo
botnet ... some of their variations are using Spanish subject lines in place of
In the case of Waledac, the botnet owners attempt to victimize the lovelorn
with promises of a note from that special someone. But while the subject line
may read something like "you have received a Valentine E-card," those
who click on the link in the e-mail will find they have only a malware
infection to show for it.
"The messages are spammed out and rely upon social engineering ...
tricking the user into following the links," said Randy Abrams, director
of technical education at ESET.
"The links leads to a fake 'Valentine
development kit' that is the Trojan itself. There are indications that blog
spam is another trick used to entice people into infecting themselves."
Abrams added, "In the past 10 days we have seen over 2,000 deflections
from our customers of samples we know to be Waledac, but it is very difficult
to count the generic hits with a moderate degree of accuracy."
Security vendors, including Symantec,
people to be careful what they click on and to keep their anti-virus software up-to-date.