It appears that the Waledac authors have decided the share the “love” theme has worn itself out, and have updated the website template to a new theme I have titled the “Couponizer”.  This new theme is right inline with the “sharing” social engineering trickery we have grown to expect from malware authors.  This theme offers to share with you the unsuspecting website visitor money saving coupons that can only be found by downloading and installing their binary, which is really the Waledac Trojan.  So instead of them sharing money saving coupons, the end user ends up sharing their bandwidth with the Waledac authors to aid in distributing more of these money saving spam emails and other spamming campaigns.  All of this of course in done free of charge to the compromised host, unless your paying for bandwidth under a pay per usage format.  Ouch, if you are having to use one of these outdated plans as I can only hope those types plans have long disappeared for your normal residential service connections.  Imagine your phone bill if Waledac could infect your handheld device and utilize minutes on your wireless data plan.  Not a pretty picture if you ask me.

Anyways let me provide you all with a snapshot of the current web page template, so that we can send out our administrative spam warning our users not to download and install anything from a site that looks like this:

So as we can see the theme is not lacking in professionalism.  The major dead give away for this template and many of the other Waledac Trojan templates is that every item on the page is really an image.  There is really no real text, unless you count the unseen “iframe” lurking behind the scenes hosting several well structured exploits and redirections.  Back to the images, all of the images on the page are hyperlinked to a binary file, so this again is a dead give away.  We should warn our users to never install executable content from websites like this.  Hey better yet, why are we still allowing our users to install binaries anyways?  You know that if we followed the hundreds if not thousands of hardening guides found all over the Internet I am sure one of the first steps found in almost everyone of them is to remove administrator rights  from normal usage accounts and create a software distribution and installation policy.  So why are campaigns like this still so effective?  Most likely because we know what the right thing is to do, but many times there are roadblocks in the way that prevent us from implementing policies like these.  On that note, if the DOD can force you to glue your USB ports with some sort of Epoxy I would venture to say removing administrator rights from your users should be an easy accomplishment.  Now if your part of the DOD don’t go sending missiles to my house as this was just an observation, and no pun intended.

It also looks like the polymorphic generation of the Waledac binaries and the rotation of binary names we have seen since the 6th of February, which may I add was exactly 2 days after I posted that the update cycle for the Waledac binaries appeared to be ~15 hours (shame on me), is still well on it’s way to causing the best of the best Antivirus Companies and Malware detection companies to stay up late at night or just give up all together.  I definitively do not fault the Antivirus industry for this poor detection rate, as how do you create static file signatures on something that is constantly changing?  The fault of successful malware campaigns such as Waledac should lie directly on the shoulders of the system security plan authors, ITSMs, CTOs, and security professionals chartered with securing computers and networks.  Stopping Waledac is almost trivial if you will put into place a good patch management system, and take away administrative rights for general usage accounts.  Teach those that require administrative rights such as system administrators to use the “run as” functionality in Windows, it is there for a reason.  Stop making excuses on why you can’t do these things, and just do it.  I am sure you will feel the pains that all of us that have already removed our users administrator rights have felt in dealing with users that believe they need to run their daily accounts as an administrator.  Nobody said computer and network security was an easy task, so lets just buckle down and fix the fundamental issue here instead of blaming others for our problems such as the Antivirus industry.  Hmm, that sounded like a “rant”…

In the mean time if you can’t pull administrative rights feel free to utilize the Waledac Tracker on my site to put into place content filters, DNS blackholing, Firewall rules, and IDS/IPS signatures to match on content downloads or IP addresses.  I don’t think this is an effective solution, but hey sometimes you just have to make due with what you got.  On that note I have been supplying one of my favorite projects “EmergingThreats.net” IP addresses from my Waledac Tracker for IP addresses that have demonstrated some sort of activity in the last 72 hours.  Matt has put into place a mechanism to update his compromised host ruleset with these IP addresses every 24 hours, so you may want to take advantage of this and start using this projects rulesets if you don’t already.  EmergingThreats.net has come along way over the last few years, and I can say from personal experience in the IDS world their rulesets do a very good job at detecting botnets, and other malicious content that can’t be seen when only running the Snort.org VRT rulesets.  Nothing wrong with the VRT ruleset either, so I would recommend running both of these rulesets and updating constantly.

As always feel free to contact me if you have any questions or comments.

UPDATE: 22 Feb 2009 ~6:00 PM CST (GMT-6)

Much to my surprise there is a legitimate “Couponizer.com” site in which the Waledac Authors stole their latest theme from.  Give it a look-see here: The Couponizer.  I just sent the admin contact for “The Couponizer.com” website a short note letting them know their reputation is being tarnished as we speak.  Not much they can do about it except maybe put out the standard news release stating they have no involvement with the Waledac Trojan.

The Waledac binary changes fairly often to avoid Antivirus Detection and modify the seeded IP addresses hard coded into the binary.  There are normally 30 hard coded IP addresses within the Waledac binary, which are used to establish the initial communication with other infected nodes on the botnet.  Once this initial communication within the botnet occurs a larger list of IP addresses is exchanged in a HTTP P2P fashion to ensure reliable connectivity to other botnet nodes even when multiple infected nodes go offline or are cleaned up.

So how often does the binary change?
I created a new table view into my database just to answer this question (Waledac Update Cycle).  This new view displays only binaries (distinct MD5 sums) that have been seen more than once to eliminate the inclusion of the corrupted binary downloads performed by my Waledac tracking scripts.  Here is a snapshot of the table for reference:

The table is pretty self explanatory, and the key column is the last column.  This Lifetime column shows in Hours:Minutes:Seconds how long a Waledac Binary has been in place.  With the default sort applied to the Last Seen column you can also visually see the approximate time a new binary was pushed out by the Waledac authors.  So back to the original question what is the average update cycle for Waledac binaries?  Averaging the the last column I came up with 15 Hours, 48 Minutes, and 21 Seconds.  Obviously this is not an exact calculation in that I am not retrieving a new Waledac binary every second of the day, but it does provide a fairly decent approximation.

I was also hoping this new view may have been able to identify a pattern in the binary update times as well, but I do not really see a clear pattern other than the authors seem to prefer evening updates over morning updates in the CST timezone.  This isn’t always the case though, as there are several binary updates that occurred during the morning hours as well.  Maybe over a longer period of time a pattern will surface, who knows.  Since there is no apparent pattern or single hour in which the updates occur I would venture to say that the binary updates are being performed manually by the authors.  I venture to say this in that if the authors had a script or cron job scheduled performing these updates for them on a regular bases the updates would most likely occur at the same time everyday.  This is not the case, so I would assume they are performing the updates manually.

As always feel free to comment or suggest new view points into my data, as I am always interested in hearing how this data can be improved upon or viewed in a new an interesting way.

Now that I have collected quite a bit of data for the Waledac botnet, I thought it would be interesting to see if I could visualize this data in a meaningful way.  Visualizing data has really taken off in the last few years especially when looking at network flows and it can reveal some really interesting characteristics that may not be all that apparent when data is presented in tabular format or with charts.  All of the graphs or visualizations I am posting today were generated using a combination of the Afterglow.pl script and the Graphviz command line tools.  Another note these graphs generated were extremely large in file size, so I took JPG snapshots of these graphs and placed them in this post to aid in page loading speeds. The more detailed graphs are linked via the images to PDF files that can be downloaded to zoom in for a more detailed view.

The first relationship I took a look at was IP addresses -> Name Servers -> Domain Names.  The density of red nodes for each clover visually depicts the number of IP addresses associated with a specific Waledac domain name.  The density of red nodes for each leaf in the clovers depicts the number of IP addresses associated to a specific Name Server within that Waledac domain.  As you can see some Waledac Domain names are more popular than others.  Another interesting characteristic demonstrated by this graph is that there are some Name Servers that are a little more popular than others for a few domain name’s being utilized by Waledac, but overall IP addresses within each domain appear to be fairly evenly distributed between Name Servers.  The last characteristic I would like to point out is that the blue rectangles depict the Name Servers within each domain name, and if you count them their are exactly 6 Name Servers for every Waledac domain name.

The next view I looked at was the reverse of the previous view: Domain Name -> Name Server -> IP.  This should result in about the same overall graph, but it reverses the colors and clearly demonstrates that there are in fact 6 Name Servers for every Domain Name.  The Blue rectangles are the Waledac Name Servers and by reversing the colors the IPs are now in a neutral color making the Name Servers easier to count.

The next data set relationship I looked at was IP -> ASN -> Country.  The higher density of red nodes in a clover represents a larger number of IPs seen in a particular country.  If you focus in on the individual clovers the density of red nodes in relation to the density of blue rectangles depicts the number of IPs seen per ASN.  If nothing else, this graph represents another view point into the Waledac botnet IP distribution per ASN and Country.

Now lets take a look inside of some of the more popular Waledac domain names according to my Waledac Tracker data set in the relationship of Domain Name -> Name Server -> IP Addresses.  The next three graphs are ordered by domain names: yourregards.com, yourchristmaslights.com, and newlifeyearsite.com.  When I pulled these data sets they were the top 3 domain names based off IP address counts.  The interesting visual correlation that can be seen within these graphs are the number of IP addresses in relation to each Name Server for that domain.  The larger the red circle the more IP addresses are associated with a name server, which makes it easy to see that it had appeared with the above clover leaf clusters that the IPs were evenly distributed when in fact there are some differences.

yourregards.com

yourchristmaslights.com

newlifeyearsite.com

This last graph I generated really does not mean a whole lot per say, but I think it looked pretty interesting so I went ahead and posted it for your viewing pleasure.  Its relation is based off my binary tracking scripts that retrieve Waledac binaries every 30 minutes: Binary Name -> IP.  Again not real meaningfull, but it sure looks cool.

Well I hope you enjoyed the graphs, and as always if you have any questions or comments feel free to either leave them here via a comment or email me anytime.