It appears that the Waledac authors have decided the share the “love” theme has worn itself out, and have updated the website template to a new theme I have titled the “Couponizer”. This new theme is right inline with the “sharing” social engineering trickery we have grown to expect from malware authors. This theme offers to share with you the unsuspecting website visitor money saving coupons that can only be found by downloading and installing their binary, which is really the Waledac Trojan. So instead of them sharing money saving coupons, the end user ends up sharing their bandwidth with the Waledac authors to aid in distributing more of these money saving spam emails and other spamming campaigns. All of this of course in done free of charge to the compromised host, unless your paying for bandwidth under a pay per usage format. Ouch, if you are having to use one of these outdated plans as I can only hope those types plans have long disappeared for your normal residential service connections. Imagine your phone bill if Waledac could infect your handheld device and utilize minutes on your wireless data plan. Not a pretty picture if you ask me.
Anyways let me provide you all with a snapshot of the current web page template, so that we can send out our administrative spam warning our users not to download and install anything from a site that looks like this:
So as we can see the theme is not lacking in professionalism. The major dead give away for this template and many of the other Waledac Trojan templates is that every item on the page is really an image. There is really no real text, unless you count the unseen “iframe” lurking behind the scenes hosting several well structured exploits and redirections. Back to the images, all of the images on the page are hyperlinked to a binary file, so this again is a dead give away. We should warn our users to never install executable content from websites like this. Hey better yet, why are we still allowing our users to install binaries anyways? You know that if we followed the hundreds if not thousands of hardening guides found all over the Internet I am sure one of the first steps found in almost everyone of them is to remove administrator rights from normal usage accounts and create a software distribution and installation policy. So why are campaigns like this still so effective? Most likely because we know what the right thing is to do, but many times there are roadblocks in the way that prevent us from implementing policies like these. On that note, if the DOD can force you to glue your USB ports with some sort of Epoxy I would venture to say removing administrator rights from your users should be an easy accomplishment. Now if your part of the DOD don’t go sending missiles to my house as this was just an observation, and no pun intended.
It also looks like the polymorphic generation of the Waledac binaries and the rotation of binary names we have seen since the 6th of February, which may I add was exactly 2 days after I posted that the update cycle for the Waledac binaries appeared to be ~15 hours (shame on me), is still well on it’s way to causing the best of the best Antivirus Companies and Malware detection companies to stay up late at night or just give up all together. I definitively do not fault the Antivirus industry for this poor detection rate, as how do you create static file signatures on something that is constantly changing? The fault of successful malware campaigns such as Waledac should lie directly on the shoulders of the system security plan authors, ITSMs, CTOs, and security professionals chartered with securing computers and networks. Stopping Waledac is almost trivial if you will put into place a good patch management system, and take away administrative rights for general usage accounts. Teach those that require administrative rights such as system administrators to use the “run as” functionality in Windows, it is there for a reason. Stop making excuses on why you can’t do these things, and just do it. I am sure you will feel the pains that all of us that have already removed our users administrator rights have felt in dealing with users that believe they need to run their daily accounts as an administrator. Nobody said computer and network security was an easy task, so lets just buckle down and fix the fundamental issue here instead of blaming others for our problems such as the Antivirus industry. Hmm, that sounded like a “rant”…
In the mean time if you can’t pull administrative rights feel free to utilize the Waledac Tracker on my site to put into place content filters, DNS blackholing, Firewall rules, and IDS/IPS signatures to match on content downloads or IP addresses. I don’t think this is an effective solution, but hey sometimes you just have to make due with what you got. On that note I have been supplying one of my favorite projects “EmergingThreats.net” IP addresses from my Waledac Tracker for IP addresses that have demonstrated some sort of activity in the last 72 hours. Matt has put into place a mechanism to update his compromised host ruleset with these IP addresses every 24 hours, so you may want to take advantage of this and start using this projects rulesets if you don’t already. EmergingThreats.net has come along way over the last few years, and I can say from personal experience in the IDS world their rulesets do a very good job at detecting botnets, and other malicious content that can’t be seen when only running the Snort.org VRT rulesets. Nothing wrong with the VRT ruleset either, so I would recommend running both of these rulesets and updating constantly.
As always feel free to contact me if you have any questions or comments.
UPDATE: 22 Feb 2009 ~6:00 PM CST (GMT-6)
Much to my surprise there is a legitimate “Couponizer.com” site in which the Waledac Authors stole their latest theme from. Give it a look-see here: The Couponizer. I just sent the admin contact for “The Couponizer.com” website a short note letting them know their reputation is being tarnished as we speak. Not much they can do about it except maybe put out the standard news release stating they have no involvement with the Waledac Trojan.