Normally capitalizing on current events and holidays to spread its seed, the Waledac trojan now has turned to the message of fear.
Security companies warned Monday of a new malware campaign in which the Waledac botnet creators are distributing emails that falsely claim the recipient’s city has been the site of a bomb blast.
The emails contain a link that leads to a malicious — but real looking — site, complete with the logo for news agency Reuters. The headline across the mock page, customized for each viewer thanks to geolocation technology that enables the site to map incoming IP addresses, warns of a “powerful explosion” in the victim’s city, Dan Hubbard, CTO of security firm Websense, told SCMagazineUS.com.
Below that is a brief news story and a video player, said Hubbard, who added that Websense has received tens of thousands of attack samples since Sunday. The goal is to dupe users into clicking on a link to view the video, which installs the increasingly prevalent Waledac trojan. The malware opens a backdoor on the compromised machine and then sits quietly, awaiting additional commands from its command-and-control server, he said.
Though the emails do contain some spelling and grammatical errors, the social engineering aspects may be slick enough to dupe many victims, Hubbard said.
“As soon as you add in legitimate brands, people tend to think, ‘Wow, this is really real,'” he said.
Trend Micro researcher Rik Ferguson said Monday on the anti-virus firm’s blog that the latest campaign is proof that cybercrooks are having no problem making up for the amount of spam that may have dropped off when web hosting provider McColo was shut down.
As of about 1 p.m. EST on Monday, eight of 39 major anti-virus providers detected the new Waledac variant, according to a file-analyzer VirusTotal test commissioned by Hubbard and his team.
The most recent Waledac attacks leveraged the inauguration, the economic crisis and Valentine’s Day to infect users. Hubbard said researchers had been expecting a St. Patrick’s Day-themed attack until they began seeing the fake bomb spam.