Looks like the Waledac Authors wore the Couponizer theme out, and have now switched to a new headline “Terror Attack” theme.  Headline News themes are nothing new to botnets like Waledac, as the Storm Worm used them a few times with fairly decent infection rates.  Another note of interest with this attack is the continued usage of GeoIP data to customize the news article for visitors.  I utilized several web proxies and the Waledac GeoIP database seems to provide extremely accurate IP to Location results.  Take a look at a screen grab I took while I was utilizing a Woodstock web proxy.

Another interesting touch are the two non malicious web links at the bottom of web page.  One leads to the “Dirty Bomb” wikipedia page and the other leads to Google search results pertaining to “Your GeoIP City” and the key words “Terror Attack”.  The normal iframe hidden link can still be found in all the Waledac web pages I viewed.  The common URL structure for this iframe right now is http://xxxxxx/tds/Sah7 , so some simple URL filtering or logging with your proxies may help to identify users that have visited a Waledac web page and possibly received some malicious exploit attempts passed through this hidden iframe.

If anyone is interested in just how well the Antivirus Companies are doing in keeping up with the Waledac Authors and polymorphic packer here are a few links to VirusTotal’s Static file scan results for some of my recently collected binaries:

• Result: 8/39 (20.51%)
• Result: 6/39 (15.38%)
• Result: 7/39 (17.95%)
• Result: 6/39 (15.38%)
• Result: 6/39 (15.38%)
• Result: 6/39 (15.38%)
• Result: 6/39 (15.38%)
• Result: 6/39 (15.38%)
• Result: 6/39 (15.38%)
• Result: 10/39 (25.64%)
• Result: 6/39 (15.38%)

Not looking all that good, if you ask me.