Arbor Networks: Security to the Core

But this time it’s not Storm, nor does it even seem at all like Storm. This one is dubbed Waldec. Infection strategy: entice email users to come to the website and get a greeting card. No graphics, but it will entice you anyhow. “Daniel just mailed to you an Online greeting card.” Thanks, Daniel!

Subject lines I’ve seen in our spamtraps:

• Merry Christmas greetings for you
• You have received an eCard

The website you go to says, “Merry Christmas”, and “If you don’t see your greeting card, just click here to download it.”. Here comes /ecard.exe, as always, via a meta-refresh. No HTTP browser exploits on the site.

This is hosted on a fast flux network. You can see many of the IPs via BFK passive DNS. DNS TTLs have 0 seconds, with what appears to be double flux afoot for the DNS servers, too:

;; QUESTION SECTION:
;justchristmasgift.com.         IN      A
;
;; ANSWER SECTION:
justchristmasgift.com.  0       IN      A       88.178.196.34
;
;; AUTHORITY SECTION:
justchristmasgift.com.  172792  IN      NS      ns6.justchristmasgift.com.
justchristmasgift.com.  172792  IN      NS      ns3.justchristmasgift.com.
justchristmasgift.com.  172792  IN      NS      ns5.justchristmasgift.com.
justchristmasgift.com.  172792  IN      NS      ns1.justchristmasgift.com.
justchristmasgift.com.  172792  IN      NS      ns4.justchristmasgift.com.
justchristmasgift.com.  172792  IN      NS      ns2.justchristmasgift.com.
;
;; ADDITIONAL SECTION:
ns1.justchristmasgift.com. 172792 IN    A       82.51.97.146
ns2.justchristmasgift.com. 172792 IN    A       89.79.215.57
ns3.justchristmasgift.com. 172792 IN    A       70.61.170.203
ns4.justchristmasgift.com. 172792 IN    A       85.180.189.51
ns5.justchristmasgift.com. 172792 IN    A       24.82.3.140
ns6.justchristmasgift.com. 172792 IN    A       77.35.248.144

From continuous mining we see the following domain names:

• justchristmasgift.com
• directchristmasgift.com
• livechristmasgift.com
• yourdecember.com
• cheapdecember.com

And possibly others, but that’s all that passive DNS mining yielded for me. The ecard.exe binary is pretty much malcode, as you would expect. Here’s the variant I downloaded and analyzed from the fast flux service network:

MD5: 218a9ca83bbac7258bf4f83d8c614e25
SHA1: bbc3b4d084c8cf5547ca2baa0deec5021a930430
PEHash: fa7e22c3db83ccb6696610de314f2791ee05c832
File type: application/x-ms-dos-executable
File size: 387072 bytes

Pretty weak detection when we look via VirusTotal. Two vendors dubbed it Waledec, however:

• Microsoft 1.4205 2008.12.20 Trojan:Win32/Waledac.A
• NOD32 3709 2008.12.20 a variant of Win32/Waledac

Once we UPX unpack the binary and rip into it we can see some of the behaviors explained. It appears to have the OpenSSL library compiled in. Here’s part of the public key certificate it uses to communicate:

-----BEGIN CERTIFICATE-----
MIICxTCCAi6gAwIBAgIJALvFkWML/1R5MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNV
BAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAV
BgNVBAoTDk15IENvbXBhbnkgTHRkMB4XDTA3MTAyMTIwMTE0OFoXDTA3MTEyMDIw
MTE0OFowTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UE
BxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAJ90+vC7isUhKB8oAzMB/wmE/ypICLU2o1nr8gVlSJC8
ZXYBIE1OAziASYadAJtN0Av6KW0su3Dh8GIJy7zJBP+i094w4Yy2B0pjtLr9g2Ng
nWwFGt/0GjEagemMayf6ADUtKiE3pGG9JrRiKC99TX31AJsjYSM3qsL4Q8lTITLJ
AgMBAAGjga4wgaswHQYDVR0OBBYEFC9d9isQdTjn6UnsfY0jzn1GM14QMHwGA1Ud
IwR1MHOAFC9d9isQdTjn6UnsfY0jzn1GM14QoVCkTjBMMQswCQYDVQQGEwJHQjES
MBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5N
eSBDb21wYW55IEx0ZIIJALvFkWML/1R5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
AQEFBQADgYEAWYphFm/bi5HP7hmPEGt8j0JfxcvW8P1Wt2XCopO8GiwSOUnRFCCa
m+PIYZnuTSQMHOfQCjoCD2Ih+jEGu+bOpcHCly/Erd7swHo5WcGhFqpyyiTQt1Jj
bbDdKRpbzuY1pp1LxfwsoEadUi8wZ8HtIrg5tmd6J1IBkXh9e4z0rvk=
-----END CERTIFICATE-----

It will send data to a hardcoded list of servers with data about the clients that talk to it and report on infections, presumably.

165.194.27.11
209.83.88.3
24.116.119.157
68.41.238.247
72.24.203.145
84.125.99.94
98.197.170.70
99.236.47.238
99.244.169.127
116.122.25.144
116.254.87.118
116.73.41.45
116.74.181.12
118.101.212.97
119.1.16.8
119.99.195.58
124.13.227.4
124.21.244.186
124.79.29.116
125.163.244.92
125.41.87.82
148.245.125.199
212.69.49.12
213.66.99.225
220.224.231.73
221.223.130.74
24.24.186.141
60.31.94.54
61.102.212.18
61.238.16.83
76.25.195.117
76.89.100.221
77.252.98.96
77.65.140.248
77.81.248.158
82.233.183.147
82.78.142.146
83.131.228.111
83.191.233.15
83.31.140.66
84.16.228.132
84.228.137.182
84.237.134.103
85.130.29.52
85.130.30.117
85.185.119.42
85.196.183.244
85.232.254.214
85.255.109.83
86.100.217.214
86.107.149.138
86.126.20.9
86.126.37.96
87.110.51.157
88.148.101.139
88.222.201.105
89.39.168.174
89.45.136.200
89.74.204.108
89.77.53.132
92.249.152.117
93.177.144.51
98.221.243.14

It also seems to scavange the files on the drive with these extensions, presumably for email addresses:

.avi
.mov
.wmv
.mp3
.wave
.wav
.wma
.ogg
.vob
.jpg
.jpeg
.gif
.bmp
.exe
.dll
.ocx
.class
.msi
.zip
.7z
.rar
.jar
.gz
.hxw
.hxh
.hxn
.hxd

We’re still analyzing it. Many in the anti-malware research community have been gathering more data on it, keep an eye out on blogs and elsewhere for more information.

This entry was posted on Sunday, December 21st, 2008 at 4:17 pm and is filed under Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.