The Spambot

Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro and TrojanDownloader:Win32/Rugzip variants.

Downloading and executing arbitrary files is not confined to malicious software. Waledac also attempts to download and install a version of the freely available packet capturing library "WinPcap". This spambot leverages the capability of the library to "sniff" network traffic, searching for credentials being transmitted as part of SMTP, POP, HTTP and FTP protocols.

In addition to what we mentioned in the previous blog that Waledac has been downloaded by variants of Win32/Bredolab, we have also seen Waledac being downloaded by Win32/Cutwail in the wild. Interestingly, the MMPC has recently identified Win32/Cutwail variants downloading the same rogue as Win32/Waledac, Win32/FakeSpypro (below it the skin for FakeSpypro rogue).

 

The Telemetry

Now let's take a look at the MSRT telemetry after Waledac was added to MSRT in April. Waledac is the #24 most prevalent threat family this month. More than 20,000 distinct machines were detected with Waledac infection worldwide. The criminals behind Waledac seem to enjoy having the deployment mostly on XP. Note this is not normalized. As of today MSRT install base on Vista is about 37% the size of that on XP.

Factoring with the installbase, we came up with the following table of infection rate, or computer cleaned per thousand MSRT executions (CCM) widely used in Microsoft Security Intelligence Report. This table presents the top 25 Waledac infected countries, then sorted by CCM. Turkey has the highest infection rate, followed by Hungary, Switzerland and Australia.

 

Top 25 Infected Countries - Sorted by CCM

Country

 Infected Machines

 MSRT Executions

 CCM

Turkey

773

2,789,140

0.277

Hungary

184

1,204,140

0.153

Switzerland

97

808,880

0.120

Australia

257

2,266,060

0.113

Russia

474

4,435,200

0.107

United States

10,788

102,158,300

0.106

Norway

145

1,600,720

0.091

Canada

336

3,882,660

0.087

Poland

381

4,413,260

0.086

Finland

113

1,465,140

0.077

Belgium

93

1,311,660

0.071

Netherlands

384

5,632,000

0.068

Sweden

197

2,890,140

0.068

Czech Republic

132

1,995,920

0.066

Portugal

105

1,674,600

0.063

Mexico

136

2,226,740

0.061

United Kingdom

621

10,570,440

0.059

Denmark

113

1,984,000

0.057

France

752

14,528,900

0.052

Spain

443

10,767,540

0.041

Brazil

294

7,481,920

0.039

Korea

294

8,333,660

0.035

Italy

208

7,530,060

0.028

Japan

563

21,683,600

0.026

Germany

291

16,958,320

0.017

 

The Spam Data

The MMPC and the Forefront Online Service for Exchange (FOSE) conducted some research on Waledac related spam. In this study we included the following subset of Waledac owned domains and monitored the spam emails between 4/15 and 4/23.

  • chinamoilesms.com
  • coralarmor.com
  • freeservesms.com
  • miosmsclu.com
  • smsclunet.com
  • smspianeta.com

From these domains we identified the related IPs and counted the emails sent from those IPs. Over the course of the study, we observed a total 7,199 distinct IPs sending spam from Waledac. We observed 4,091,725 spam emails distributed by these IPs during the seven days. Non-Delivery Report (NDR) is not counted as spam email in this study. Note this is not even the peak of Waledac email campaign.

 

Date

Sum of Spam

Sum of NDR

Distinct IPs

4/15/2009

520,423

272,050

2,430

4/16/2009

606,171

329,552

3,673

4/17/2009

588,710

322,779

2,802

4/18/2009

516,215

281,225

2,697

4/19/2009

514,375

242,666

2,222

4/20/2009

660,828

285,473

2,450

4/21/2009

685,003

293,193

1,760

Grand Total

4,091,725

2,026,938

18,034*

* 18,034 is the cumulative sum. The distinct number is 7,199.

The location of the senders of this spam does not necessarily match the geo distribution chart of the MMPC waledac detection. The controllers of waledac can decide which zombies will be throttled or heavily loaded. Furthermore, they can rotate these IPs in and out and need not have them all active simultaneously.

 

Country

Number IPs

Total Spam

Avg Mail per IP

United States

7,582

3,143,793

1,424.2

China

1,492

3,475

7.2

South Korea

900

3,276

5.0

Great Britain

827

158,026

589.7

Japan

672

97,309

293.2

Germany

462

74,556

        477.5

Brazil

445

6,978

54.4

Canada

365

77,042

        734.3

Australia

342

15,754

225.4

France

340

226,215

1,355.3

Russia

309

1,815

          16.0

The Netherlands

286

11,066

243.2

Italy

258

17,601

137.2

Taiwan

233

-  

-  

Unknown

227

8,700

54.1

Argentina

213

7,382

66.7

Spain

175

19,081

134.7

Czech Republic

170

1,656

164.4

Poland

165

1,517

36.7

Turkey

158

1,293

8.4

India

155

5,179

72.2

Romania

123

1,092

15.5

Singapore

112

7,724

300.4

Austria

101

2,061

237.2

All others

1,922

199,134

248.7

Grand Total

18,034

4,091,725

737.1

We will continue to monitor the waledac threats and the spam activities.

Scott Wu - MMPC
Terry Zink - FOSE
Scott Molenkamp - MMPC