Application security, Incident Response, Malware, Phishing, TDR

Waledac malware adds geolocation

A new variant of the Waledac malware campaign has been unleashed, taking advantage of the economic crisis by spoofing a legitimate coupon website and using IP address geolocation to appear to offer coupons for local stores.

Criminals are hosting a website that mimicks a site that sells The Couponizer, a product that helps shoppers organize their coupons. Adding legitimacy to the exploit is that the spoofed Couponizer page seems to be offering coupons for stores, restaurants and companies near where the user lives, Phil Hay, lead threat analyst at internet and email filtering solutions company Marshal8e6, told Wednesday.

To achieve this, the exploit uses a social engineering feature not seen in the other Waledac variants called IP address geolocation, which is a way of determining a user's location based on his or her IP address. The user's IP address is queried against a database to determine its location, then the results of that query are put into the webpage, Hay said.

Courtesy of Marshal8e6

The geolocation feature increases the appeal and seeming validity to a casual observer, Hay said.

“You see something popping up with local content -- that's what caught my eye," he said.

Users are being lured to these spoofed pages through spam with subject lines such as, “I've already used these coupons” and “Want to save money? Look at this!” The email bodies contain a link to one of the hundreds of malicious pages hosting the exploit, Hay said.

Experts began detecting this new variant on Sunday. The spam is still being detected with relatively low levels.

About 15,000 messages an hour are being detected, which translates to less than one percent of total spam volume, Sam Masiello, vice president of information security at messaging security firm MX Logic, told Wednesday.

“Regardless of volume, the most important thing to consider is the potential damage that can be incurred by someone who falls victim,” Masiello said.

To become infected, a user has to download and execute the malware from one of the malicious links on the site, he said. Once infected, the malware can do any number of things to a user's system, including use it to send out other spam or install a keylogger that could result in data loss or identity theft, Masiello said.

The goal of Waledac is to build a botnet, and the criminals behind it are using some clever campaigns to do it, experts said. Waledac has used holiday-themed exploits in the past -- first a Christmas theme, then two different variants with Valentine's Day themes, and it was also hosted on a fake President Obama site.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.