sudosecure.net

I received a request earlier today to start tracking the Waledac Trojan like I had the Storm Worm, and well since they both use the same tactics I figured why not.  I just finished modifying my Storm Binary Tracking scripts to monitor the Fast Flux network of Waledac and it’s web pages.  You can find the data from the binary tracking scripts here: Waledac Tracker.  I don’t know yet how much time or effort I will put into tracking this Trojan, but since I am publishing this data I will go through a quick summary of what the Waledac Trojan is.

The Waledac Trojan is delivered as a URL link inside spam messages.  The current web page looks like this:

The web page is really just one large GIF image “img.gif” that links to “postcard.exe”.  This ensures that any stray user clicks on the web page will prompt the user to download the “postcard.exe” binary, which is the Waledac Trojan.  There is also an IFRAME embedded in the web page that points to “hxxp://seocom.mobi/rotate/c.php?eb0h”, but when I went to retrieve this page I got a 403 error stating I didn’t have permission to access this page.  From other articles and blog posts I have read this is where the Waledac Trojan tries multiple exploits, but since I can’t access the page right now I can’t confirm this. One thing I did note that I haven’t seen posted yet is that although the Waledac Trojan web page is being served up by Nginx/0.63.4 the seocom.modi site is being served up on an Apache 1.3.41 server.  Here are some settings I found for the Apache server:

Apache/1.3.41 (Unix) PHP/4.4.9 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b

The Shadowserver Foundation has a really good write up on this Trojan and if you haven’t read it yet here it is: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?. They also have a nice collection of current domain names being used to host the web pages, so if nothing else grab those domains and start implementing DNS Blackholing or add them to your proxy configurations to prevent your users from even visiting these sites.

So far I have seen 142 IPs with my tracking scripts:

4.244.69.144
12.168.205.170
24.33.233.54
24.57.83.138
24.64.95.238
24.85.240.20
24.139.69.37
24.192.176.75
24.224.175.80
65.73.167.53
65.75.124.106
67.49.6.243
67.61.207.176
67.64.156.119
67.150.246.57
67.169.11.92
67.173.196.140
67.213.96.198
68.32.31.173
68.50.173.54
68.50.231.91
68.173.97.117
68.204.235.220
69.24.123.167
69.47.115.180
69.76.136.225
69.247.164.171
70.114.195.33
70.140.184.127
70.200.169.81
70.218.30.49
70.218.195.166
71.9.79.35
71.63.142.94
71.83.92.224
71.106.8.84
71.129.153.200
71.197.172.125
71.202.65.70
72.29.253.14
72.45.18.151
72.136.24.242
72.137.38.157
72.240.184.75
74.77.138.209
76.28.115.147
76.64.70.42
76.70.96.73
76.91.235.206
76.93.233.117
76.118.24.140
76.170.178.95
76.190.203.104
76.193.34.126
77.79.38.18
77.96.251.230
81.220.178.33
82.177.226.171
82.199.195.102
83.21.60.214
83.84.116.137
83.84.130.209
83.97.242.136
83.223.183.38
84.52.145.241
84.66.64.201
85.12.224.206
85.86.39.123
85.114.37.72
85.130.4.5
85.221.176.110
85.222.37.208
86.6.143.109
86.8.75.241
86.122.250.76
87.68.170.173
87.206.73.25
87.207.85.117
88.134.165.249
88.180.152.39
88.199.249.4
89.45.55.175
89.45.129.21
89.74.138.247
89.74.209.189
89.76.212.192
89.77.140.176
89.78.142.100
89.78.146.247
89.103.246.108
89.132.97.13
89.138.8.245
89.151.26.188
89.229.78.254
89.253.10.124
92.232.169.168
92.238.151.224
97.81.205.168
97.104.61.143
98.28.108.254
98.200.169.254
99.18.144.23
99.54.141.194
99.141.124.78
99.147.191.25
99.152.125.180
99.195.196.98
99.236.230.185
99.238.95.109
99.243.247.72
99.247.215.190
99.254.51.22
99.255.24.131
118.221.104.156
121.208.2.46
128.174.141.174
128.226.92.84
128.226.183.142
129.109.150.81
129.115.98.48
130.13.54.113
131.107.0.72
134.74.16.124
137.110.124.139
149.125.248.85
156.34.95.177
173.45.193.254
193.95.195.68
196.45.201.101
200.55.77.109
200.84.125.24
200.127.209.84
201.1.207.189
201.231.16.222
204.116.246.48
208.96.18.58
208.98.218.245
211.74.120.88
212.198.239.213
216.16.66.37
217.70.52.180
221.214.134.26

I can’t say these are all bad or related to the Waledac Trojan, but can tell you that these were IP addresses found as A records in the Waledac Trojan Name Servers. The only IPs I ever claim to be 100% sure that they are/were associated with the badness are the one’s I actually grab a binary from, and those can now be found via the Waledac Tracker.

If you have any questions or comments feel free to email me anytime, and also let me go ahead wish you all a belated HAPPY NEW YEAR!