Virut malware fuels Waledac botnet resurgence

The Waledac worm, which targets Windows systems and sends spam from infected computers, has made its return with the help of the Virut virus, according to researchers.

And the latest junk mail campaign may not be the first time that Waledac and Virut attackers have worked together to prey on unsuspecting users.

Back in 2009, researchers believed that Waledac operators utilized Virut to carry out a Bank of America certificate scam by which victims' computers were hijacked to deliver spam and host malware-serving websites. 

In this new undertaking, Symantec found that 308,000 computers, primarily in the United States, are infected with Virut, which, in turn, drops Waledac – a worm that could potentially send up to three billion spam emails per day. 

Liam O'Murchu, manager of operations at Symantec Security Response, which discovered the new Waledac cases, told Tuesday that Virut is often used by crooks to spread their own malware because it provides attackers with a “back door” to gain access to compromised computers.

“Virut will download new threats and install them, and that's one way that the owners of the botnet make money,” O'Murchu said. “They rent out their botnet and allow other [malware] to be installed on victims' computers.

The Virut virus, which also has “worm-like characteristics,” according to a Symantec analysis of malware, impacts Windows XP, Vista and earlier versions, as well as Windows Server 2008, 2003, NT and ME. Victims are infected by way of drive-by downloads, but Virut can also infect ASP, HTML, and PHP files, and spreads when these files are shared via email or portable devices.

Murchu said Waledac spammers ultimately make their money through rogue ad networks, online pharmacies, or outright fraud in which personal information is collected.

“Waledac [operators] will get paid for the amount of spam they send, or sometimes they get paid a percentage of the transaction that results from the spam,” he said.

Screen shots of Waledac spam emails were posted Tuesday in a Symantec blog post. Some examples include spurious links to Canadian online pharmacies or performance-enhancing drugs. 

In 2010, a U.S. district court judge in Alexandria, Va. granted Microsoft a restraining order for the seizure of 277 domains run by Waledac operators, effectively shutting the botnet down for a time. reached out to Microsoft but did not immediately hear back from the company.

UPDATE: In a Tuesday email, Richard Boscovich, associate general counsel for Microsoft Digital Crimes Unit, told that Microsoft saw no evidence that the botnet it took down in 2010 was spamming users again or that it had "returned to the control of cyber criminals." The company has identified a variant of Waledac being spread among users, however.

"We have seen evidence of the distribution of this malware – known as “W32/Waledac.D” – that appears to be increasing," Boscovich wrote. "This does not mean that the Waledac botnet we took down is back in operation. This kind of effort by bot herders to try to rebuild a botnet from the ashes of the old is not new." 

Boscovich advised users to take standard precautions, like running up-to-date and legitimate software, as well as employing firewall protection and anti-malware solutions. Users should also be cautious when clicking on ads or email attachments, which could potentially be malicious, he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.