«  m86security.com

Waledac

 

March 25, 2009

Aliases

  • Waled
  • Waledpak

Comments

The Waledac botnet appeared in late 2008 and is widely acknowledged to be the successor to the notorious Storm botnet owing to a number of similarities in behaviour. While the malware binary is substantially different, we have observed spamming templates that are virtually identical to that previously used by Storm. Relative to the major spamming botnets, the spam output from Waledac remains small.  Despite this, Waledac is a high profile botnet that runs distinctive malicious campaigns using clever social engineering hooks to entice users.  Typical themes used are e-cards , and more recently fake coupons and bogus 'current events '.  Over and above attempts to propagate itself, Waledac can also be seen spamming "Canadian Pharmacy" brand pharmaceuticals and other types of products.

Features

  • Template Based spamming engine
  • Uses AES encryption and customized Base64 encoding to send and receive data from control server via HTTP port 80.
  • Fast-fluxing DNS to hide malware hosting sites.
  • Ability to download arbitrary files encrypted and embedded inside a JPG image file.

Spamming Rate

  • 7,000 messages per hour per bot

Command and Control

The Waledac bot connects to its control server using the HTTP protocol on port 80. This bot has an hardcoded list of IP addresses in its body to which it attempts to connect. It sends HTTP POST requests to a random hardcoded IP addresses to send and receive encrypted commands. Communication traffic is encrypted using customized BASE64 and AES encryption.

Waledac establishes a connection to its control server using the HTTP request like the one below:

POST /<random>.<png or htm> HTTP/1.1
Referer: Mozilla
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla
Host: <hardcoded IP address>
Content-Length: 957
Cache-Control: no-cache

a=<AES encrypted data wrapped using customized Base64 encoding>&b=AAAAAA

Variable "a" is an encrypted XML containing the bot configuration such bot version number, ID, and commands.

Malware Behavior on Host

When Waledac is executed, it creates the following registry entry to auto-execute itself on Windows Startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • PromoReg =  <malware path>

It then adds a registry that acts as an identification mark for the malware:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    • MyID = <ID>

It also adds the registry key named RLIST containing an AES encrypted list of IP addresses:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    • RList = <AES encrypted list of IP address>

It then tries to mine for email addresses from files with the following extension:

  • .avi  
  • .mov  
  • .wmv  
  • .mp3  
  • .wave 
  • .wav  
  • .wma  
  • .ogg  
  • .vob  
  • .jpg  
  • .jpeg 
  • .gif  
  • .bmp  
  • .exe  
  • .dll  
  • .ocx  
  • .class
  • .msi  
  • .zip  
  • .7z   
  • .rar  
  • .jar  
  • .gz   
  • .hxw  
  • .hxh  
  • .hxn  
  • .hxd  

Any harvested email addresses are then spammed.

Additionally, Waledac forces your Internet Explorer to lower its security settings and also collects System Information.

 


Last Reviewed: April 20, 2009 by Rodel Mendrez