The Waledac botnet has been actively used to push malware since last year.
The tactics employed by Waledac are so similar to the old Storm Worm that we have reason to believe they are closely connected.
Last night, the websites used to push Waledac infections got an overhaul.
We started seeing infection reports of filenames like sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.
When we went searching, we noticed that the Waledac sites now looked like this:
Nice graphics, jerks.
Anyway, these sites had domain names like downloadfreesms.com, chinamobilesms.com and smsclubnet.com.
If you check the DNS records for these domains, you'll notice that they have a time-to-live set to zero. And they use that to change their IP address every time you query it. This is fast fluxing in effect.
Lets monitor the IP address of smsclubnet.com for two minutes:
Time
IP
11:00:17
118.232.218.209
11:00:22
211.105.220.204
11:00:28
121.179.73.185
11:00:33
124.8.89.29
11:00:38
69.55.30.158
11:00:44
116.127.184.49
11:00:49
201.42.136.214
11:00:54
89.35.18.27
11:01:00
24.77.250.131
11:01:05
118.130.83.202
11:01:11
77.78.150.199
11:01:16
211.180.118.70
11:01:21
189.111.197.36
11:01:27
121.183.32.80
11:01:32
211.218.197.220
11:01:38
121.183.32.80
11:01:43
125.129.151.33
11:01:48
151.60.88.70
11:01:54
121.179.73.186
11:01:59
210.207.217.154
And all those IP addresses are infected home computers, where the owner of the computer has no idea he's actually running a webserver — which is serving viruses.
This botnet is not just used to host the malware: the malware itself uses it when calling home. When Waledac is executed, it does dozens of HTTP posts to IP addresses belonging to this botnet.
Waledac gang has registered over 100 .com domains for their purposes. You can actually tell a bit about their operations if you arrange their domains into groups. Practically all the domains they own are registered to these email addresses: hanlin_425@126.com, lijian@qq.com and wusong_ccc@126.com.