A mass email was sent out inviting people to watch a video of July 4 fireworks celebrations, with headlines including "America the Beautiful", and "Bright and joyful Fourth of July". It included a link to a website purporting to show videos of the fireworks celebrations, but which were in fact veiled malware links.
"The American Pyrotechnics Association has named the South Shores July fireworks show as the best pyrotechnic display in the nation," said the page linked to in the spam mail. The page also included the YouTube logo, and a representation of what looks like a blank YouTube video waiting to be played.
"If you want to see this fantastic show just click on the video below and press 'run'," the text on the botnet page urged. The link downloads the W32.Waledec malware executable.
Various information security vendors picked up the Waledec botnet run, which is similar in its approach to the techniques used by the creators of Storm, Waledec's predecessor, in that the emails are based around holiday events, and include minimal text, with a link.
Threatfire identified a selection of fast-flux domains that are being used for this Waledec iteration, including 4thfireworkcom, holifireworks.com, and video4thjuly.com.
"Instead of registering these domains through Xin Net Technologies, this time around they were registered through China Springboard, Inc. It is quite likely that this provider will be one to watch for the next few holidays," the company said.
According to Cisco, the Storm botnet was reborn as Waledec in December 2008. Although the basic structure of the malware and botnet had not changed much, the company said that the business partnerships between the development team and third parties had expanded. There were now links to the team behind Conficker, for example, as Conficker.E was found to be updating itself with the Waledec malware.
"Conficker had previously done little to monetize their botnet, while the Storm/Waledac crew knew how to squeeze every penny out of their botnet to make millions," said the company in a blog post. "It was a partnership made in hell: Conficker gets a revenue stream and Waledac gets more bots."