The family added to the April MSRT release is Win32/Waledac. If you haven't heard of the family before, there is a chance you may have seen some of the spam generated by Win32/Waledac in your inbox. We've blogged about some of the spam campaigns in the past, such as Fake Obama or the Valentine Devkit. The most recent spam campaign uses a fake “Reuters Terror Attack” themed lure.

Reuters Terror Attack:
Fake Reuters Terror Attack

Win32/Waledac is a complex spam bot. It also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks, proxy network traffic and sniff passwords. Having leapt into the spotlight in December of 2008 as a result of a large Christmas holiday e-card spam campaign. A number of functional and superficial similarities with the infamous Nuwar spambot (a.k.a. the “Storm” worm) led many to conclude - correctly, that Waledac was the next generation implementation. So where did Waledac come from?

The first variant which drew the attention of the MMPC was found nearly nine months prior to this event, in the first week of April 2008. This early version of Waledac was disseminated via the very mechanism which also delivered Nuwar to a machine. Interestingly, the same mechanism was also employed during the development of the Nuwar constituent components. The earliest record of the Waledac developmental “cross-grade” that the MMPC was able to establish was the 25th December 2007. This demonstrates that Waledac was in development for at least one year before the Christmas “show”.

An early variant of Waledac, demonstrating the family name derivation:
Screenshot

Waledac employs an ‘affiliate’ or partner (if you will) based installation scheme. For example, the MMPC has observed malware such as Win32/Bredolab download and install Waledac. Bredolab is notorious for installing prevalent spam bots such as Rustock, Cutwail, Srizbi, Tedroo and Rlsloup.

A simple reminder to exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a Web page that you are not familiar with, unsure of the destination of, or suspicious of. Websites hosting Waledac have employed browser exploits, so malicious software may be installed on your system simply by visiting a Web page with harmful content.

We’ll keep you posted as more information comes to hand.

--Scott Molenkamp