Where is Waledac – Episode II


The Spambot


Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro and TrojanDownloader:Win32/Rugzip variants.


Downloading and executing arbitrary files is not confined to malicious software. Waledac also attempts to download and install a version of the freely available packet capturing library “WinPcap”. This spambot leverages the capability of the library to “sniff” network traffic, searching for credentials being transmitted as part of SMTP, POP, HTTP and FTP protocols.


In addition to what we mentioned in the previous blog that Waledac has been downloaded by variants of Win32/Bredolab, we have also seen Waledac being downloaded by Win32/Cutwail in the wild. Interestingly, the MMPC has recently identified Win32/Cutwail variants downloading the same rogue as Win32/Waledac, Win32/FakeSpypro (below it the skin for FakeSpypro rogue).



 


The Telemetry


Now let’s take a look at the MSRT telemetry after Waledac was added to MSRT in April. Waledac is the #24 most prevalent threat family this month. More than 20,000 distinct machines were detected with Waledac infection worldwide. The criminals behind Waledac seem to enjoy having the deployment mostly on XP. Note this is not normalized. As of today MSRT install base on Vista is about 37% the size of that on XP.



Factoring with the installbase, we came up with the following table of infection rate, or computer cleaned per thousand MSRT executions (CCM) widely used in Microsoft Security Intelligence Report. This table presents the top 25 Waledac infected countries, then sorted by CCM. Turkey has the highest infection rate, followed by Hungary, Switzerland and Australia.


 









































































































































Top 25 Infected Countries – Sorted by CCM


Country


 Infected Machines


 MSRT Executions


 CCM


Turkey


773


2,789,140


0.277


Hungary


184


1,204,140


0.153


Switzerland


97


808,880


0.120


Australia


257


2,266,060


0.113


Russia


474


4,435,200


0.107


United States


10,788


102,158,300


0.106


Norway


145


1,600,720


0.091


Canada


336


3,882,660


0.087


Poland


381


4,413,260


0.086


Finland


113


1,465,140


0.077


Belgium


93


1,311,660


0.071


Netherlands


384


5,632,000


0.068


Sweden


197


2,890,140


0.068


Czech Republic


132


1,995,920


0.066


Portugal


105


1,674,600


0.063


Mexico


136


2,226,740


0.061


United Kingdom


621


10,570,440


0.059


Denmark


113


1,984,000


0.057


France


752


14,528,900


0.052


Spain


443


10,767,540


0.041


Brazil


294


7,481,920


0.039


Korea


294


8,333,660


0.035


Italy


208


7,530,060


0.028


Japan


563


21,683,600


0.026


Germany


291


16,958,320


0.017


 


The Spam Data


The MMPC and the Forefront Online Service for Exchange (FOSE) conducted some research on Waledac related spam. In this study we included the following subset of Waledac owned domains and monitored the spam emails between 4/15 and 4/23.



  • chinamoilesms.com

  • coralarmor.com

  • freeservesms.com

  • miosmsclu.com

  • smsclunet.com

  • smspianeta.com

From these domains we identified the related IPs and counted the emails sent from those IPs. Over the course of the study, we observed a total 7,199 distinct IPs sending spam from Waledac. We observed 4,091,725 spam emails distributed by these IPs during the seven days. Non-Delivery Report (NDR) is not counted as spam email in this study. Note this is not even the peak of Waledac email campaign.


 



















































Date


Sum of Spam


Sum of NDR


Distinct IPs


4/15/2009


520,423


272,050


2,430


4/16/2009


606,171


329,552


3,673


4/17/2009


588,710


322,779


2,802


4/18/2009


516,215


281,225


2,697


4/19/2009


514,375


242,666


2,222


4/20/2009


660,828


285,473


2,450


4/21/2009


685,003


293,193


1,760


Grand Total


4,091,725


2,026,938


18,034*

* 18,034 is the cumulative sum. The distinct number is 7,199.


The location of the senders of this spam does not necessarily match the geo distribution chart of the MMPC waledac detection. The controllers of waledac can decide which zombies will be throttled or heavily loaded. Furthermore, they can rotate these IPs in and out and need not have them all active simultaneously.


 












































































































































Country


Number IPs


Total Spam


Avg Mail per IP


United States


7,582


3,143,793


1,424.2


China


1,492


3,475


7.2


South Korea


900


3,276


5.0


Great Britain


827


158,026


589.7


Japan


672


97,309


293.2


Germany


462


74,556


        477.5


Brazil


445


6,978


54.4


Canada


365


77,042


        734.3


Australia


342


15,754


225.4


France


340


226,215


1,355.3


Russia


309


1,815


          16.0


The Netherlands


286


11,066


243.2


Italy


258


17,601


137.2


Taiwan


233


–  


–  


Unknown


227


8,700


54.1


Argentina


213


7,382


66.7


Spain


175


19,081


134.7


Czech Republic


170


1,656


164.4


Poland


165


1,517


36.7


Turkey


158


1,293


8.4


India


155


5,179


72.2


Romania


123


1,092


15.5


Singapore


112


7,724


300.4


Austria


101


2,061


237.2


All others


1,922


199,134


248.7


Grand Total


18,034


4,091,725


737.1


We will continue to monitor the waledac threats and the spam activities.


Scott Wu – MMPC
Terry Zink – FOSE
Scott Molenkamp – MMPC

Comments (0)