<<<
Thursday, April 16, 2009
>>>
 
Waledac Offering a Fake SMS Spying Tool Posted by Mikko @ 12:22 GMT

The Waledac botnet has been actively used to push malware since last year.

The tactics employed by Waledac are so similar to the old Storm Worm that we have reason to believe they are closely connected.

Last night, the websites used to push Waledac infections got an overhaul.

We started seeing infection reports of filenames like sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.

When we went searching, we noticed that the Waledac sites now looked like this:

smstrap.exe

Nice graphics, jerks.

Anyway, these sites had domain names like downloadfreesms.com, chinamobilesms.com and smsclubnet.com.

If you check the DNS records for these domains, you'll notice that they have a time-to-live set to zero. And they use that to change their IP address every time you query it. This is fast fluxing in effect.

Lets monitor the IP address of smsclubnet.com for two minutes:


Time    IP
11:00:17    118.232.218.209
11:00:22    211.105.220.204
11:00:28    121.179.73.185
11:00:33    124.8.89.29
11:00:38    69.55.30.158
11:00:44    116.127.184.49
11:00:49    201.42.136.214
11:00:54    89.35.18.27
11:01:00    24.77.250.131
11:01:05    118.130.83.202
11:01:11   77.78.150.199
11:01:16    211.180.118.70
11:01:21    189.111.197.36
11:01:27    121.183.32.80
11:01:32    211.218.197.220
11:01:38    121.183.32.80
11:01:43    125.129.151.33
11:01:48    151.60.88.70
11:01:54    121.179.73.186
11:01:59    210.207.217.154

And all those IP addresses are infected home computers, where the owner of the computer has no idea he's actually running a webserver — which is serving viruses.

This botnet is not just used to host the malware: the malware itself uses it when calling home. When Waledac is executed, it does dozens of HTTP posts to IP addresses belonging to this botnet.

waledac_animation

Waledac gang has registered over 100 .com domains for their purposes. You can actually tell a bit about their operations if you arrange their domains into groups. Practically all the domains they own are registered to these email addresses: hanlin_425@126.com, lijian@qq.com and wusong_ccc@126.com.

Here they are:

News
bestgoodnews.com
bestbreakingfree.com
breakinggoodnews.com
breakingnewsltd.com
breakingkingnews.com
breakingnewsfm.com
easyworldnews.com
goodnewsreview.com
goodnewsdigital.com
reportradio.com
linkworldnews.com
tntbreakingnews.com
usabreakingnews.com
wapcitynews.com
worldtracknews.com
worldnewseye.com
worldnewsdot.com
worldtracknews.com
spacemynews.com
yourbreakingnew.com

Blogs
bestusablog.com
bestjournalguide.com
bestlifeblog.com
bestblogdirect.com
boarddiary.com
blogsitedirect.com
blogginhell.com
farboards.com
mobilephotoblog.com
photoblogsite.com

Fear & Terror
againstfear.com
antiterroris.com
antiterroralliance.com
antiterrornetwork.com
fearalert.com
globalantiterror.com
terroralertstatus.com
terrorfear.com
terrorismfree.com
urbanfear.com

Coupons & Sales
bestcouponfree.com
codecouponsite.com
gonesite.com
greatcouponclub.com
greatsalesgroup.com
greatsalestax.com
smartsalesgroup.com
thecoupondiscount.com
yourcountycoupon.com

Love & Sex
adorelyric.com
adorepoem.com
adoresong.com
adoresongs.com
bestadore.com
bestlovehelp.com
bestlovelong.com
bluevalentineonline.com
chatloveonline.com
cherishletter.com
cherishpoems.com
extendedman.com
funloveonline.com
funnyvalentinessite.com
greatsvalentine.com
orldlovelife.com
greatvalentinepoems.com
lovecentralonline.com
lovelifeportal.com
romanticsloving.com
thevalentinelovers.com
whocherish.com
wirelessvalentineday.com
worldlovelife.com
worshiplove.com
youradore.com
yourgreatlove.com
yourlength.com
yourvalentineday.com
yourvalentinepoems.com
yourvalnetinepoems.com

And here are the latest additions:

SMS Spying
chinamobilesms.com
downloadfreesms.com
freecolorsms.com
freeservesms.com
miosmsclub.com
smsclubnet.com
smspianeta.com
virtualesms.com

This leaves us with a handful of domains we can't categorize to any of the above groups. They are:

batchoose.com
bayhousehotel.com
coralarm.com
longballonline.com
moneymedal.com
quickjust.com
soundroyal.com
yourbarrier.com
yourlol.com
yourwent.com

Maybe these domains could give us a hint on their next move?

Does anybody have any ideas? If so, leave us a comment.





<<< Twitter Worm Google Searches Leads to Malware
|
Now This is Just Wrong! >>>