Malware Writers Use Multiple Botnets to Spread Valentine's Day Heartache

Valentine's Day is not just for lovers; it's for malware writers, too. At the center of the recent surge in spam related to Valentine's Day is the Waledac botnet, successor to the Storm botnet, but other botnets have joined the fray as well, security researchers warn.

Valentine's Day may be a time for love, but spammers and malware writers are having their fun too.

While reports of the percentage of spam related to Valentine's Day versus overall spam have been varying somewhat from vendor to vendor, what the security community seems to agree on is that a botnet called Waledac is at the center of the spam campaign.

According to Web and e-mail security vendor Marshal8e6, at least two other botnets have joined the fray as well, however. Researchers at Marshal8e6 have seen three distinct campaigns from three different botnets, as well as spam attacks from botnets they have not yet identified.

Click here to read about the state of spam-delivering botnets after the shutdown of Web hosting service McColo in November 2008.

Most of the Valentine's Day-related spam is coming from Waledac, which appeared on the scene late in 2008. Security pros now believe the botnet is the work of the minds behind the infamous Storm botnet that made headlines in 2007. After being targeted by Microsoft's Malicious Software Removal Tool, Storm limped through most of 2008 before disappearing completely in September, said Patrick Murray, director of product management at Marshal8e6.

In its place came Waledac, which emerged in December with a blended threat Christmas e-card campaign. Like Storm, Waledac uses a peer-to-peer connection model with fast-flux DNS (Domain Name System) hosting and encrypted communications.

Today, researchers speculate that Waledac may comprise as many as 20,000 bots.

"Waledac currently accounts for less than 1 percent of all the spam we are seeing, so it is small when compared to botnets such as Xarvester and Mega-D, but it is very active in sending spam with blended threats. ... In January it was used to send fake news malicious spam declaring that Obama was abandoning the Presidency just ahead of his inauguration," Murray said.

"So far, the modus operandi of Waledac spam is remarkably similar to how Storm was operated," he said, adding it relies on large e-card and fake news email campaigns.

In addition to Waledac, the Pushdo botnet and others have joined in with their own Valentine's Day campaigns.

"We have observed more than a dozen variations of the Waledac Valentine's threat alone," Murray said. "There are a similar number of variations coming from the Pushdo botnet ... some of their variations are using Spanish subject lines in place of English."

In the case of Waledac, the botnet owners attempt to victimize the lovelorn with promises of a note from that special someone. But while the subject line may read something like "you have received a Valentine E-card," those who click on the link in the e-mail will find they have only a malware infection to show for it.

"The messages are spammed out and rely upon social engineering ... tricking the user into following the links," said Randy Abrams, director of technical education at ESET. "The links leads to a fake 'Valentine development kit' that is the Trojan itself. There are indications that blog spam is another trick used to entice people into infecting themselves."

Abrams added, "In the past 10 days we have seen over 2,000 deflections from our customers of samples we know to be Waledac, but it is very difficult to count the generic hits with a moderate degree of accuracy."

Security vendors, including Symantec, are urging people to be careful what they click on and to keep their anti-virus software up-to-date.