Hello Waledac, My Old Friend
One highlight in our upcoming mid-year security report is the sophisticated business strategies employed by modern cybercriminals. I can’t think of a better example than Waledac…We studied the Storm botnet in 2007. And we weren’t alone, as Storm’s sophisticated socially engineered emails, peer-to-peer networking and prolific spamming innovations had every security researcher hot on Storm’s trail. My team’s research into the connection between Storm, Canadian Pharmacy and Glavmed/SpamIt.com unveiled a complex business ecosystem that was previously unknown — botnets like Storm sending spam for illegal pharmacy businesses like Glavmed.The industry responded by shutting down Storm’s command-and-control ISP and removing the malware from PCs. Storm was dead — albeit after millions of infected PCs sent hundreds of billions of spam messages.But the calm didn’t last long. Storm was reborn as Waledac in December 2008. While Waledac hadn’t advanced much technically — same P2P, same Canadian Pharmacy/Glavmed connection with template-based spamming, same social engineering tricks to spread the malware via email — the Waledac business development team had been busy expanding their partnerships beyond Glavmed to include Yambo Financials, Conficker and Rogue Antivirus.Let’s start with Conficker. In April our researchers found Waledac was propagating in a whole new way — Conficker E was updated with the Waledac malware! Successfully updated Conficker nodes used the Waledac malware to spam for pharma sites and propagate their malware. Conficker had previously done little to monetize their botnet, while the Storm/Waledac crew knew how to squeeze every penny out of their botnet to make millions. It was a partnership made in hell: Conficker gets a revenue stream and Waledac gets more bots.We also found evidence of real-time technical collaboration. In late March, the Conficker.c running in our malware lab launched a very unique self-protection mode to prevent inspection by packet-capture software Wireshark. Conficker didn’t just kill Wireshark, as stated in many blogs, it ran a process scanner that looked for wireshark.exe. If Conficker.c detected Wireshark running it would kill it on the first instance. Subsequently, Conficker wouldn’t kill Wireshark but would instead hook into something between the driver and Wireshark (perhaps the winpcap library) and hide all of the interfaces from Wireshark. Wireshark would still be running but there would be no interfaces available to capture! This is a very sophisticated and unique way for the Conficker malware to ensure it is not monitored by Wireshark.A few days later the Waledac in our lab exhibited the exact same behavior as what we had seen with Conficker! The business guys and the techies are working together.Waledac has also been observed to download Rogue Antivirus, one of 2008’s biggest malware money makers. And Waledac expanded beyond its Canadian Pharmacy partnership to spam for “Canadian Health & Care Mall” aka Yambo Financials.What’s the next business strategy for cybercriminals? Anything and everything to maximize their profits. Bottom line: it’s not just about the vulnerabilities, exploits and malware. Our challenges and criminals’ profits are driven by criminal adoption of sophisticated business practices. Look for the full story on July 14 when we release our mid-year security report.