Waledac Terror Attack Trojan (March 18, 2009)


This week, SonicWALL UTM Research team observed new variants of Waledac. They switched to using a terror attack theme: by spoofing news agency Reuters website and sending emails that link to the spoofed site.

These Waledac variants incorporate IP address geolocation, just like the previous Couponizer attack, which is a way of determining a user’s location based on the IP address. The user’s IP address is queried to determine its location, then the results of that query are put into the webpage.

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is shown but “You need the latest Flash player to view video content. Click here to download.” The alleged missing codec file is the malware executable.

The websites used in this attack include:

  • adorelyricxx.com
  • bestcouponfreexx.com
  • bestlovelongxx.com
  • codecouponsitexx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • goodnewsdigitalxx.com
  • greatcouponclubxx.com
  • greatsalesavailablexx.com
  • supersalesonlinexx.com
  • youradorexx.com
  • worldtracknewsxx.com

These domains resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • contact.exe
  • run.exe
  • print.exe
  • save.exe
  • main.exe
  • news.exe

When executed this Waledac variant is almost identical in its behavior to the previous variant.

SonicWALL Gateway Antivirus will detect this new Waledac variant with GAV: Suspicious#waledac.8 (Worm) signature.

SonicWALL UTM Research team recommends to mouse-over the links on any page and verifying they do not go to an EXE file to avoid being infected with malware.

Here is a screenshot of the malicious website:


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.