A botnet behind an e-card spam campaign during New Year's is believed by some to be an update to the infamous Storm and Waledac botnets.
The minds behind the Storm and Waledac botnets are at it again, according to
some security researchers.
A botnet that may be linked to Storm and Waledac has been tied to a
spam campaign blasting
out e-cards celebrating
the new year.
"I have little doubt that this operation is a direct descendent of
Storm and Waledac botnets. ... There is a strong resemblance to Waledec code and
design, including specific functionality and terminology for certain components
of the botnet architecture," said Don Jackson, director of threat
intelligence at SecureWorks. "There are several things about the code
itself which indicate this is a project currently in development, a botnet beta
Waledac is considered by some to be an update of the original Storm botnet,
and many people believe the Storm
and Waledac operations
had crew members in common, Jackson
"The communication between a Storm Worm 3.0 bot and the fast-flux
network is technically peer-to-peer because the fast flux domain names point to
peers. ... It is not a traditional peer-to-peer protocol like used in the
original Storm worm," he said. "The link from Storm 3.0 and the
original Storm is that we believe that some of the same actors behind Storm 3.0
and the original Storm are the same."
Then there is the e-card spam, which Jackson
described as "classic Storm."
The messages that were spammed out used numerous subject lines such as "Greeting
for you!" and "Happy New Year greetings e-card is waiting for you."
According to the Shadowserver Foundation, recipients who clicked on the links
inside the e-mails were prompted to install a fake version of Adobe Flash
blogged that they observed a few cases where users are directed
the file to the user's PC. In most cases, however, the user is redirected again
after 5 seconds, this time to a site that serves exploits, Websense reported.
"The overall volume is hard to estimate as it depends on many factors,"
Tillmann Werner, malware analyst at Kaspersky Lab, told eWEEK. "We
observed one successfully delivered mail per second on average-that means 3,600
spam mails per hour or 86,400 per day for each bot. The botnet
is still very young
and constantly growing. We counted about 2,500
different IP addresses that participate in the fast-flux service network which
is used to hide the C&C [command and control] infrastructure. The
total number of infected machines is probably magnitudes higher, but there is
currently no way to measure it."
Still, there are some differences between the botnets, and there is no
definitive evidence all three were developed by the same gang, Werner said.
"Storm used real peer-to-peer technology; Waledac implemented a multitier
architecture," he argued. "This new [botnet] is a complete rewrite
"Having said that, some facts might indicate that Waledac and Hlux (as
Kaspersky calls the new bot) are related," he added. "By looking at
the timeline one might come up with the idea that each of the two has formed
some months after its predecessor has been taken down. A commonality between
Hlux and Waledac is that both separate infected machines in two pools: one with
machines with public IP addresses, one with private addresses. The public ones
act as 'routers' or 'relays' and are important pieces in the botnet's
infrastructure. The private ones are 'workers' or 'spammers' and process jobs
like sending out spam or conducting DDoS [distributed-denial-of-service] attacks."
"To me," he said, "the most interesting thing is how
successful a botnet
can be just by exploiting people's curiosity. However,
the time to kick it off was a smart choice, one has to admit. Few malware
analysts work around New Year's Eve, whereas lots of people expect greetings
from their friends."