Spam Campaign May Mark Comeback for Storm, Waledac Operators

A botnet behind an e-card spam campaign during New Year's is believed by some to be an update to the infamous Storm and Waledac botnets.

The minds behind the Storm and Waledac botnets are at it again, according to some security researchers.

A botnet that may be linked to Storm and Waledac has been tied to a spam campaign blasting out e-cards celebrating the new year.

"I have little doubt that this operation is a direct descendent of Storm and Waledac botnets. ... There is a strong resemblance to Waledec code and design, including specific functionality and terminology for certain components of the botnet architecture," said Don Jackson, director of threat intelligence at SecureWorks. "There are several things about the code itself which indicate this is a project currently in development, a botnet beta program."

Waledac is considered by some to be an update of the original Storm botnet, and many people believe the Storm and Waledac operations had crew members in common, Jackson noted.

"The communication between a Storm Worm 3.0 bot and the fast-flux network is technically peer-to-peer because the fast flux domain names point to peers. ... It is not a traditional peer-to-peer protocol like used in the original Storm worm," he said. "The link from Storm 3.0 and the original Storm is that we believe that some of the same actors behind Storm 3.0 and the original Storm are the same."

Then there is the e-card spam, which Jackson described as "classic Storm."

The messages that were spammed out used numerous subject lines such as "Greeting for you!" and "Happy New Year greetings e-card is waiting for you." According to the Shadowserver Foundation, recipients who clicked on the links inside the e-mails were prompted to install a fake version of Adobe Flash Player. Researchers at Websense blogged that they observed a few cases where users are directed to a page containing obfuscated JavaScript that tries to use exploits to push the file to the user's PC. In most cases, however, the user is redirected again after 5 seconds, this time to a site that serves exploits, Websense reported.

"The overall volume is hard to estimate as it depends on many factors," Tillmann Werner, malware analyst at Kaspersky Lab, told eWEEK. "We observed one successfully delivered mail per second on average-that means 3,600 spam mails per hour or 86,400 per day for each bot. The botnet is still very young and constantly growing. We counted about 2,500 different IP addresses that participate in the fast-flux service network which is used to hide the C&C [command and control] infrastructure. The total number of infected machines is probably magnitudes higher, but there is currently no way to measure it."

Still, there are some differences between the botnets, and there is no definitive evidence all three were developed by the same gang, Werner said.

"Storm used real peer-to-peer technology; Waledac implemented a multitier architecture," he argued. "This new [botnet] is a complete rewrite again.

"Having said that, some facts might indicate that Waledac and Hlux (as Kaspersky calls the new bot) are related," he added. "By looking at the timeline one might come up with the idea that each of the two has formed some months after its predecessor has been taken down. A commonality between Hlux and Waledac is that both separate infected machines in two pools: one with machines with public IP addresses, one with private addresses. The public ones act as 'routers' or 'relays' and are important pieces in the botnet's infrastructure. The private ones are 'workers' or 'spammers' and process jobs like sending out spam or conducting DDoS [distributed-denial-of-service] attacks."

"To me," he said, "the most interesting thing is how successful a botnet can be just by exploiting people's curiosity. However, the time to kick it off was a smart choice, one has to admit. Few malware analysts work around New Year's Eve, whereas lots of people expect greetings from their friends."