Just a quick update, the three part series I have blogged here has been published today as a White Paper. If you’re interested it can be downloaded here as a 13 page PDF.
TrendLabs researcher Ivan Macalintal has this evening discovered a new variant of Downad/Conficker called WORM_DOWNAD.E spreading over the peer-to-peer functionality of the previous version of this now infamous worm.
As well as reactivating the original propogation functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?
Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?
Please read the TrendLabs Malware blog for a detailed breakdown.
This attack is covered in detail over on the TrendLabs Malware Blog
Coupons & Barack Obama in January, Valentines in February and now video news in March. Waledac has once again reinvented itself. The creators have moved on from their coupon related campaign and are now using fake big news events with associated video content to fool the user into downloading “the latest Flash Player” to view it. “The latest Flash Player” is of course the newest variant of the Waledac worm
This is what the spam message leads you to if you live in San Jose
Don’t be fooled by the location though, the site is running a couple of clever scripts, one of them will detect the location of your IP address and vary the location of the disaster accordingly; the other will vary the name of the downloaded file (news.exe, save.exe. run.exe etc.). Trend Micro detects the malicious file as WORM_WALEDAC.NYS and blocks the malicious domains.
Further evidence, as if any were needed that the botnet creators are still actively filling the void left behind by various event os last year, such as the dismantling of the Storm botnet and the takedown of McColo.