Waledac is once again using its well proven social engineering tactics by introducing a "fake SMS spying tool" (free.exe; smstrap.exe; install.exe; setup.exe etc.) and Online Casinos theme, in an attempt to further expand the botnet.
No client-side vulnerabilities are used for the time being, instead the cybercriminals are relying on their persistent rotation of the themes, and the end user's lack of awareness.
Here are more details on the subjects/message used:
Can your love life be re-ignited? Are you sure in your partner's faithfulness? Now, It's possible to read other people's SMS We will tech you to be the master of making love art Just type the phone number and read SMS Do you want to test your partner? Have more fun and pleasure in your intimate life Now, you can read any SMS messages from any mobile phones Keep a spy eye on your Girlfriend's mobile What's Your Hall of Shame Are you redy to know the truth?
The message itself:
"Get Your Free 30-Day Trial! Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then! It's so easy! You don't need to install it at the mobile phone of your partner. Just download the program and you will able to read all SMS when you are online. Be aware of everything! This is an extremely new service!"
Having migrated from a P2P communications model to a web based communications model (see live sample of Waledac attempting to connect to infected hosts), taking into consideration the similarities in the spam templates used, as well as network level connections, Waledac may not just be a successor to the Storm Worm, but may in fact be a reincarnated version of Storm.
- Go through related Storm Worm posts: Legal concerns stop researchers from disrupting the Storm Worm botnet; The Storm Worm would love to infect you; Tracking down the Storm Worm malware; Storm Worm’s Independence Day campaign; Storm Worm says the U.S have invaded Iran
Interestingly, Waledac is an example of a botnet that's propagating by rubbing shoulders with some of the most prolific botnets currently in circulation, including the Conficker, with the most recent variant pushing a Waledac sample, presumably under a business agreement with Conficker's authors looking for more ways to monetize the botnet. Moreover, according to Microsoft's MMPC, in the past they "observed malware such as Win32/Bredolab download and install Waledac. Bredolab is notorious for installing prevalent spam bots such as Rustock, Cutwail, Srizbi, Tedroo and Rlsloup."
This ongoing cooperation proves that while certain cybercriminals are still living in the "no honor among cybercriminals" world by attempting to scam one another (Phishers increasingly scamming other phishers) and hijack each other's botnets, the rest are clearly working together.