Waledac SMS Spy Trojan (April 16, 2009)


Yesterday, SonicWALL UTM Research team observed new variants of Waledac. They switched to using SMS Spy software trial theme: by pretending to offer software that allows the user to read other people’s SMS.

In the past, we released SonicAlerts about Waledac pretending to be a Valentine’s Day E-Card, a Couponizer program, and a Fake News Story about a Dirty Bomb.

The latest SMS Spy variants do not incorporate IP address geolocation, the message is not customized to the user’s city.

The website banks on the user’s curiosity and offers a tool to invade privacy and read anyone’s mobile phone text messages. For example, it targets jealous boyfriends, with taglines such as “Do you really trust her?”, “Are you sure you want to know?” in the email spam used to spread links to the latest Waledac domains. On the website, “Download Free Trial” link leads to the malware executable.

When executed this Waledac variant is almost identical in its behavior to the previous variant.

The websites used in this attack include:

  • adoresongsxx.com
  • antiterrorisxx.com
  • bakeloafxx.com
  • bestadorexx.com
  • bestcouponfreexx.com
  • bestjournalguidexx.com
  • bestlifeblogxx.com
  • bestlovehelpxx.com
  • bestlovelongxx.com
  • bestusablogxx.com
  • bluevalentineonlinexx.com
  • breakingnewsltdxx.com
  • chatloveonlinexx.com
  • cherishletterxx.com
  • chinamobilesmsxx.com
  • codecouponsitexx.com
  • coralarmxx.com
  • downloadfreesmsxx.com
  • easyworldnewsxx.com
  • freecolorsmsxx.com
  • freeservesmsxx.com
  • fryrollxx.com
  • funloveonlinexx.com
  • funnyvalentinessitexx.com
  • goldfixonlinexx.com
  • goodnewsdigitalxx.com
  • goodnewsreviewxx.com
  • greatcouponclubxx.com
  • greatsalesgroupxx.com
  • greatsvalentinexx.com
  • lastlabelxx.com
  • lovecentralonlinexx.com
  • lovelifeportalxx.com
  • miosmsclubxx.com
  • mobilephotoblogxx.com
  • moneymedalxx.com
  • nuovosmsxx.com
  • photoblogsitexx.com
  • romanticslovingxx.com
  • screenaliasxx.com
  • smsclubnetxx.com
  • smsdirettoxx.com
  • smspianetaxx.com
  • spacemynewsxx.com
  • tagdebtxx.com
  • thecoupondiscountxx.com
  • thevalentineloversxx.com
  • tntbreakingnewsxx.com
  • urbanfearxx.com
  • usabreakingnewsxx.com
  • virtualesmsxx.com
  • wealthleafxx.com
  • wirelessvalentinedayxx.com
  • worldlovelifexx.com
  • worshiplovexx.com
  • youradorexx.com
  • yourbarrierxx.com
  • yourgreatlovexx.com
  • yourvalentinedayxx.com
  • yourvalnetinepoemsxx.com

All domains are registered in China. They resolve to different IP addresses every time they are visited. The filenames are also rotated. Some of the filenames used in this wave are:

  • trial.exe
  • sms.exe
  • smsreader.exe
  • freetrial.exe
  • free.exe
  • promo.exe

SonicWALL Gateway Antivirus detects this new Waledac variant proactively with GAV: Waledac.gen.2 (Trojan) signature. This generic signature was added on April 13, 2009, catches 253 different variants of Waledac and has 23,387 hits so far.

Here is a screenshot of the malicious website:


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.