Could Waledec be the second-coming of the infamous Storm email worm?


ABSOLUTELY DO NOT click on this Couponizer online ad. You will  turn over control of your PC to the Waledec botnet. You will likely  get a banking trojan installed, and your machine performance may slow when your PC is assigned to spread email spam and participate in denial of service attacks.

Not much has been written about Waledec. Yet there is a lot of circumstantial evidence suggesting that it may be the successor to the Storm email worm that infested the Internet from January 2007 through the summer of 2008. Kurt Baumgartner, Vice President of Behavioral Threat Research at PC Tools has been following Storm and Waledec over the past two years.  Excerpts of Last Watchdog’s interview with  Kurt:

LW: Do you have a copy of the original Storm e-mail that began circulating in Jan. 2007?

KURT: Yes. The messages were completely non-descript and did not contain any message text. One of the campaign’s message subject line read “230 dead as storm batters Europe.” and provided a “Full video.exe” attachment.

LW: What was distinctive and/or pioneering about Storm?

KURT: There were multiple characteristics about the Storm threat that were distinctive, some were covered in our September 2007 Virus Bulletin presentation. Here is a quick list of distinctive (and some pioneering) qualities of Storm:

• Mass social engineering schemes and campaigns taken to a new level of persuasion and organization for financially motivated goals.

• Very high level of change and activity — malware binaries were being re-developed from one campaign to the next, campaigns were changing often.

• Highly distributed web presence — globalwide distribution of web presence implemented with proxy servers.

• Heavy use of spammed attachments and spammed links to spread itself.

• Careful attention given to visual arts on the web pages.

• Themes tied to holidays,  large events .

• Unique use of P2P for botnet communications only, while using http for file downloads.

• Used for spam and DDoS, password/identity stealing components were not delivered.

• Trojan’s ability to fight back against cleanup tools, morph itself and regrow the botnet.

• Sustained presence as massive spamming botnet for well over a year.

LW: When did Storm peak?

KURT: There were various peaks — peaks in spam output, peak in speculated size of the botnet, peak in media attention I would say that the peak in spam output and most likely size of the botnet was late summer 2007, continued on in dwindled form, and then regained some strength in 2008 but never the same.

LW: Approximately when did Storm fade away? What happened to it?

KURT: Storm seemed to fade away altogether by late summer 2008, and while security companies were helping to take a dent out of it (from AV companies, to vigilante researchers, to spam blockers) in late 2007, there were other, much larger botnets that may have become more appealing to the spammers from a financial perspective. The massive botnet itself had been a financially motivated creation. Quite possibly, the project’s size, its predictability, and general awareness cut into its profits. They may have finished off the botnet themselves with a large FakeAV install or other effort that removed the botnet components from the systems. Only speculation remains.

LW: When did Waledec first arise?

KURT: December 2008.

LW: What’s distinctive and/or pioneering about Waledec?

KURT: The Waledac packer is somewhat distinctive and delivered with a fair level of server side polymorphism. The trojan’s components have not changed much and all function in user mode. It also appears that Waledac has been downloading and installing additional financially motivated malware, like other rogueware and spyware components, which makes it different from the Storm threat (which would lead us to believe the overall effort is run by some new actors). It’s most pioneering piece is its use of p2p communications over http. Otherwise, it looks a lot like Storm in most every aspect.

LW: What’s the connection(s), if any, between Waledec and Storm?

KURT: Because there have been multiple levels of developers, distributors, administration, spammers and some of the work seems to have been outsourced during the Storm threat, it is unconfirmed that the Waledac botnet can be called the new Storm botnet. However, many similarities exist between the two, so many that they are almost identical. See the list of distinctive qualities of Storm above. Waledac meets almost all of them except for the kernel level thread injection that is missing and the Trojan functionality is not changing, and that the Waledac trojan’s downloading capabilities are known to be running other malware families on victim hosts. There also seems to be some very different actors behind the Waledac threat.

–Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone