New Botnets on the Prowl

Waledac is a piece of malware that spreads via email. Over Christmas, it distributed itself as a fake greeting card, using a similar technique to the largely defunct Storm worm. According to F-Secure, the bot writes an entry to the Windows registry, and then scours all the files that it can in the infected system looking for email addresses. It then uses these mails to spread itself to other systems using the same technique.

Waledac also harvests password information from the infected system, and then sends it to a random IP address from a hard coded list. In keeping with many other modern malware instances, it is also capable of being remotely updated from a control server.

An analyst by the Shadowserver Foundation found that clicking on the link embedded in the email directs the user to a website that tries to install an executable file, and run malicious JavaScript. It found that the domains used were part of a fast flux network.

Aside from the Christmas card lure, Shadowserver notes some similarities between Waledac and Storm. Both of them use fast flux networks, along with several main servers per domain. The use of drive-by JavaScript exploits is also common to both pieces of malware. "There is also a ton of differences which we are not going to list," said the organization. "We can't save sure that they are related, but we do acknowledge a number of interesting similarities."

Xarvester, the other piece of malware, is now the third largest source of spam according to security firm Marshal. The company is heralding this worm as the new Srizbi, because of similarities in the code and techniques used by the two. In a blog post, malware said that both Xarvester and Srizbi used HTTP over nonstandard ports for command and control purposes, along with encrypted template files for spamming instructions. It also noticed similarities between the configuration files used by the two worms, and, perhaps most telling of all, both of them communicate with servers known to be in the McColo network. McColo is an ISP alleged to be the source of large amounts of spam, which had its Internet access removed late last year after complaints by investigators.

"Our samples of Xarvester and Srizbi have McColo IP addresses hard coded in them," said Marshal. " Srizbi used these as control servers and Xarvester to upload the mini dump file."

Both pieces of malware used a mini dump file that would be produced in the event of a software crash, presumably enabling their developers to further tweak the quality of the code.

What’s hot on Infosecurity Magazine?