Links
Waledac, The New Storm Worm?
Security researchers have seen a new worm, called Waledac, quickly spreading throughout many networks. Many of these researchers feel that Waledac bears a striking resemblance to one of the most devastating worms of all time, Storm. Like the Storm worm, Waledac is spread through emails that appear to be holiday themed “e-cards.” So far, users and researchers have seen both Christmas and Valentine’s Day e-cards being used.
The email itself will contain one of many subject lines, such as Happy Holidays and Be My Valentine. The Christmas themed emails will have an attachment included, which is always “ecard.exe”. When a user double-clicks the executable, the worm then is installed to the PC. The Valentine’s Day themed e-cards use a different tactic and include a link in the emails that supposedly leads to the e-card. The link will take a user to a website that contains many variants of Valentine’s Day heart icons and a message that says, “Guess which heart is for you?” Regardless of which icon is clicked, the worm will then be installed on the PC.
Once installed, the worm will then quickly try to propagate by searching all files and removable drives on the PC for email addresses. The worm will then spam copies of itself to the email addresses it is able to harvest. Waledac is also programmed to collect and “keylog” certain user data and then encrypt the data and send it to destinations selected by the worm. The Waledac authors also appear to be able to control the worm on infected PC’s and can send updated malicious code to the device.
The good news is that AV vendors are actively researching the worm and have collected a lot of valuable information on the inner workings of the worm. This means that it is important to keep all anti-virus clients and signatures up to date. Older variants of the worm had IPs hard-coded, but newer strains are running on fast-flux and double fast-flux networks, so the IPs and domains will be changing regularly. This means that, once a PC is infected, it will be very hard to stop the outbound connections with a firewall product. The best way to protect a network from this worm is through user awareness. It is important that users are made aware of this malware delivery method and that they analyze every email and attachment they agree to open.
Related Links