Application security, Malware, Phishing

Bank of America certificate scam propagating Waledac, Virut

A new spam campaign disguised as a Bank of America email telling users they need to update their digital certificate is attempting to lure users into installing the Waledac worm.

The messages, which first started being detected this past weekend, seemingly come from Bank of America, and tell users, “The digital certificate for your Bank of America direct online account has expired. You need to update the certificate using Bank of America direct digital certificate updating procedure” (see photo below). Recipients are then instructed to click on a link and follow the given instructions, Phil Hay, lead threat analyst at web and email security firm Marshal8e6 told in an email Monday. The spam originates from the Pushdo botnet, which has been active in similar malicious phishing attacks, Hay said.

After following the link, the user is encouraged to fill in a web form, and to download a new "digital certificate" to continue, Hay said. The “certificate” however, is an executable file which seeks to download malware to the victim's PC.

The SANS Internet Storm center said in a post on Monday that a quick analysis of this malware showed “probable signs” of Waledac -- the notorious worm capable of harvesting and forwarding password information and receiving commands from a remote server. Sean-Paul Correll, threat researcher for Panda Security confirmed to on Tuesday that the threat is being detected as Waledac.

Waledac-infected computers can receive instructions on functions to perform, such as updating malware components or sending information from the infected computer, Joshua Perrymon, CEO of security firm PacketFocus told in an email Monday. He added that this type of multi-layered email attack -- in which the phisher is not only grabbing users login information and but also placing malware on the machines -- have been around for a while, but are on the rise.

“At the end of the day they will get rich off this attack in a few days,” Perrymon said.

Bank of America, in a statement to, said it is aware of the situation and is continuing to research the issue and protect customers as diligently as it can. Bank of America did not however, provide any additional information about their research into this threat.

Photo courtesy Marshal 8e6 TRACElabs.

Panda Security's Correll said that from February to April PandaLabs saw a 200 percent increase in Waledac variants.

“Waledac will take over the victims computer and use it to spam malicious emails and host the infection websites,” Correll said. He added that there may be some new functionality in this variant.

Marshal8e6's Hay said that after initial analysis of this threat, one of the components of the attack looks like a variant of Virut, which is capable of downloading anything the command and control server wants to install on the infected system, Marshal8e6 said in a recent blog post.

“If the user is compromised by Virut, then potentially all sorts of other malware may end up on the PC,” Hay said.

In February, Microsoft warned that a particularly nasty variant of the Virut virus had been unleashed. The virus was responsible for shutting down the court system in Houston after about 475 of the city's 16,000 computers were infected.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.