Thursday, May 07, 2009 5:07 PM
by
mmpc
Where is Waledac - Episode II
The Spambot
Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro and TrojanDownloader:Win32/Rugzip variants.
Downloading and executing arbitrary files is not confined to malicious software. Waledac also attempts to download and install a version of the freely available packet capturing library "WinPcap". This spambot leverages the capability of the library to "sniff" network traffic, searching for credentials being transmitted as part of SMTP, POP, HTTP and FTP protocols.
In addition to what we mentioned in the previous blog that Waledac has been downloaded by variants of Win32/Bredolab, we have also seen Waledac being downloaded by Win32/Cutwail in the wild. Interestingly, the MMPC has recently identified Win32/Cutwail variants downloading the same rogue as Win32/Waledac, Win32/FakeSpypro (below it the skin for FakeSpypro rogue).
The Telemetry
Now let's take a look at the MSRT telemetry after Waledac was added to MSRT in April. Waledac is the #24 most prevalent threat family this month. More than 20,000 distinct machines were detected with Waledac infection worldwide. The criminals behind Waledac seem to enjoy having the deployment mostly on XP. Note this is not normalized. As of today MSRT install base on Vista is about 37% the size of that on XP.
Factoring with the installbase, we came up with the following table of infection rate, or computer cleaned per thousand MSRT executions (CCM) widely used in Microsoft Security Intelligence Report. This table presents the top 25 Waledac infected countries, then sorted by CCM. Turkey has the highest infection rate, followed by Hungary, Switzerland and Australia.
|
Top 25 Infected Countries - Sorted by CCM |
|
Country |
Infected Machines |
MSRT Executions |
CCM |
|
Turkey |
773 |
2,789,140 |
0.277 |
|
Hungary |
184 |
1,204,140 |
0.153 |
|
Switzerland |
97 |
808,880 |
0.120 |
|
Australia |
257 |
2,266,060 |
0.113 |
|
Russia |
474 |
4,435,200 |
0.107 |
|
United States |
10,788 |
102,158,300 |
0.106 |
|
Norway |
145 |
1,600,720 |
0.091 |
|
Canada |
336 |
3,882,660 |
0.087 |
|
Poland |
381 |
4,413,260 |
0.086 |
|
Finland |
113 |
1,465,140 |
0.077 |
|
Belgium |
93 |
1,311,660 |
0.071 |
|
Netherlands |
384 |
5,632,000 |
0.068 |
|
Sweden |
197 |
2,890,140 |
0.068 |
|
Czech Republic |
132 |
1,995,920 |
0.066 |
|
Portugal |
105 |
1,674,600 |
0.063 |
|
Mexico |
136 |
2,226,740 |
0.061 |
|
United Kingdom |
621 |
10,570,440 |
0.059 |
|
Denmark |
113 |
1,984,000 |
0.057 |
|
France |
752 |
14,528,900 |
0.052 |
|
Spain |
443 |
10,767,540 |
0.041 |
|
Brazil |
294 |
7,481,920 |
0.039 |
|
Korea |
294 |
8,333,660 |
0.035 |
|
Italy |
208 |
7,530,060 |
0.028 |
|
Japan |
563 |
21,683,600 |
0.026 |
|
Germany |
291 |
16,958,320 |
0.017 |
The Spam Data
The MMPC and the Forefront Online Service for Exchange (FOSE) conducted some research on Waledac related spam. In this study we included the following subset of Waledac owned domains and monitored the spam emails between 4/15 and 4/23.
- chinamoilesms.com
- coralarmor.com
- freeservesms.com
- miosmsclu.com
- smsclunet.com
- smspianeta.com
From these domains we identified the related IPs and counted the emails sent from those IPs. Over the course of the study, we observed a total 7,199 distinct IPs sending spam from Waledac. We observed 4,091,725 spam emails distributed by these IPs during the seven days. Non-Delivery Report (NDR) is not counted as spam email in this study. Note this is not even the peak of Waledac email campaign.
|
Date |
Sum of Spam |
Sum of NDR |
Distinct IPs |
|
4/15/2009 |
520,423 |
272,050 |
2,430 |
|
4/16/2009 |
606,171 |
329,552 |
3,673 |
|
4/17/2009 |
588,710 |
322,779 |
2,802 |
|
4/18/2009 |
516,215 |
281,225 |
2,697 |
|
4/19/2009 |
514,375 |
242,666 |
2,222 |
|
4/20/2009 |
660,828 |
285,473 |
2,450 |
|
4/21/2009 |
685,003 |
293,193 |
1,760 |
|
Grand Total |
4,091,725 |
2,026,938 |
18,034* |
* 18,034 is the cumulative sum. The distinct number is 7,199.
The location of the senders of this spam does not necessarily match the geo distribution chart of the MMPC waledac detection. The controllers of waledac can decide which zombies will be throttled or heavily loaded. Furthermore, they can rotate these IPs in and out and need not have them all active simultaneously.
|
Country |
Number IPs |
Total Spam |
Avg Mail per IP |
|
United States |
7,582 |
3,143,793 |
1,424.2 |
|
China |
1,492 |
3,475 |
7.2 |
|
South Korea |
900 |
3,276 |
5.0 |
|
Great Britain |
827 |
158,026 |
589.7 |
|
Japan |
672 |
97,309 |
293.2 |
|
Germany |
462 |
74,556 |
477.5 |
|
Brazil |
445 |
6,978 |
54.4 |
|
Canada |
365 |
77,042 |
734.3 |
|
Australia |
342 |
15,754 |
225.4 |
|
France |
340 |
226,215 |
1,355.3 |
|
Russia |
309 |
1,815 |
16.0 |
|
The Netherlands |
286 |
11,066 |
243.2 |
|
Italy |
258 |
17,601 |
137.2 |
|
Taiwan |
233 |
- |
- |
|
Unknown |
227 |
8,700 |
54.1 |
|
Argentina |
213 |
7,382 |
66.7 |
|
Spain |
175 |
19,081 |
134.7 |
|
Czech Republic |
170 |
1,656 |
164.4 |
|
Poland |
165 |
1,517 |
36.7 |
|
Turkey |
158 |
1,293 |
8.4 |
|
India |
155 |
5,179 |
72.2 |
|
Romania |
123 |
1,092 |
15.5 |
|
Singapore |
112 |
7,724 |
300.4 |
|
Austria |
101 |
2,061 |
237.2 |
|
All others |
1,922 |
199,134 |
248.7 |
|
Grand Total |
18,034 |
4,091,725 |
737.1 |
We will continue to monitor the waledac threats and the spam activities.
Scott Wu - MMPC
Terry Zink - FOSE
Scott Molenkamp - MMPC
