New botnet shares fast flux DNS and other similarities with Storm and Waledac.
In the last few days of 2010, security researchers discovered a new botnet that shares many similarities with the Waledac and Storm botnets.
The botnet started with a spam campaign that sent millions of emails claiming to be holiday e-cards – a well-known trick used to lure users into clicking malicious links, and one that has already been used by Waledac and Storm. The typical email contains a link to a page on a hacked website, and when that link is clicked the user is automatically redirected to a domain controlled by the spammers.
This domain then resolves to the IP address of an infected machine which, among other things, runs a web server and infects the user with a copy of the malware. By using fast flux DNS, the botherders have ensured that the domain will continue to be resolvable if an infected computer is taken down.
A list of the IP addresses of 500 peers is hard-coded in the malware. Every 10 minutes, the bots connect to one of these hosts and each downloads a list of 10 new peers and their IP addresses. This peer-to-peer behaviour makes the botnet less dependent on a centralized command-and-control server.
Detected samples of the malware all have different checksums, but each has a file size of 485,888.
More can be found at
Shadowserver
here
, or at
Kaspersky
‘s
Securelist
blog
here
.
Posted on 04 January 2011 by
Virus Bulletin
Leave a Reply