More malware news

I just received this from a friend, so I thought I would pass it along.

Fourth of July is a highly anticipated holiday, not only by U.S. citizens, but by the creators of the Waledac worm as well, who are anxious to profit from the massive public interest surrounding it. Security researchers warn that an Independence Day-themed Waledac spam campaign, looking to infect users through a fake fireworks show video, has already started and is expected to hit inboxes hard over the weekend.

Initial reports of an imminent Waledac campaign targeting the Fourth of July came in yesterday morning, when malware analysts tracking the worm noticed that some of its domains started to serve a YouTube-cloned page featuring a fake Independence Day video. A few hours later on Friday the first e-mails spreading these malicious URLs were caught in the spam traps of multiple security companies and organizations.

Waledac, also known as Iksmas, is the successor of the infamous Storm worm. Just as its late relative, it leverages on major holidays or important events for its spam runs. One of its main purposes, except for propagating itself, is to generate income for its creators by distributing rogue security applications (scareware).

One of the worm’s signatures is the use of “fake video codec” scams in its campaigns, which is also the case with this latest one. The spam e-mails have subjects such as “Light up the sky,” and contain a single line. One of the samples reads “American Independence Day,” followed by a link to one of the many abusive domains.

Fake Waledac video sample
Enlarge picture
Clicking on the URL will open a page with what looks to be an embedded video but is actually just a linked image. “Colorful independence day took place throughout the country. This year July 4th firework’s show were surprisingly amazing. […] If you want to see this fantastic show just click on the video below and press ‘Run’,” a message on the page reads.

Attempting to view the video will prompt the download of an executable file, which is actually the worm installer and has a very low AV detection rate for the time being. “The ‘install.exe’ which we downloaded actually had the SMTP engine built in, so we would say this [sending spam] is the primary purpose. The Waledac executable is also doing huge volumes of peer to peer traffic […],” notes Gary Warner, director of research in computer forensics at UAB.

In addition, the worm downloads and installs a rogue AV product called “System Security,” which warns users of inexistent threats on their computer in order to scare them into acquiring a useless license. Users are advised to only watch videos of Independence Day events posted on trusted websites and delete unsolicited e-mails such as the ones described in this article. Antivirus vendors will surely release updates to detect this latest threat, so keeping AV definitions up to date is also a must.