Wednesday, July 8, 2009

Waledac - July 4th Wave

Keeping up with theme-based spam, Waledac began a new wave for the 4th of July. Shadowserver posted a list of 4th of July themed domains like the following:

fireworksholiday.com
freeindependence.com
happyindependence.com
holidayfirework.com

The TTP was the standard spam, fake YouTube video and executable download. A sample Waledac spam email hyperlink is for wpyn.fireholiday.com/video.exe. The domain wpyn.fireholiday.com resolves to numerous Fast Flux IP addresses. A quick resolution of the first 50 nodes is below:

112.76.132.115
118.232.163.47
118.34.184.174
124.123.15.55
200.114.156.47
200.75.122.114
200.8.236.97
201.213.101.148
201.75.55.113
204.19.202.167
213.106.51.95
213.63.244.54
213.89.177.19
217.132.89.78
24.56.242.144
24.88.106.240
60.2.41.179
60.244.160.18
61.35.161.29
69.86.53.176
71.12.11.2
71.137.1.103
71.17.123.33
71.230.75.255
77.37.144.56
81.97.199.10
82.1.200.141
82.67.81.223
83.233.163.135
83.233.18.128
84.108.85.123
84.109.209.107
85.201.139.159
85.230.122.138
86.123.150.156
87.116.182.176
88.163.104.87
88.169.133.14
89.136.112.46
89.215.93.163
89.34.67.226
89.74.183.203
89.76.121.249
89.76.52.152
92.53.34.101
92.53.34.101
93.100.87.113
97.89.139.5
98.239.10.9
98.246.19.23

sudosecure.net provides a cool tracking mechanism for Waledac binaries, Fast Flux IP addresses and domains.

Malware Analysis

File: video.exe
Size: 630784
MD5: 1D36E772F9892B64D810978B9A99541E

The Waledac malware video.exe creates a registry key referencing where the file was executed from. In this example, the file was executed from the desktop.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "RList"
Type: REG_BINARY
Data: (data too large: 6944 bytes)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PromoReg"
Type: REG_SZ
Data: C:\Documents and Settings\%User Profile%\Desktop\video.exe

The following are samples of initial connections to various Waledac controllers.

POST /rbbcrx.png
Host: 119.77.219.219

POST /lbohwj.png
Host: 98.25.97.68

POST / HTTP/1.1
Host: 93.100.114.158

POST /xdryoc.htm
Host: 134.155.241.188

POST /mzrbflwkczf.png
Host: 93.100.114.158
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)