Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 15 April 2009

Waledac shifts to SMS Spy program

Posted on 14:24 by Unknown
We've known that Waledac spreads itself via Social Engineering - convincing users that they WANT to download a program. Recently we've seen Waledac acting as a Valentine's Day E-Card, a Couponizer program, and a Fake News Story about a Dirty Bomb.

Today the UAB Spam Data Mine began to get spam messages for a new Social Engineering trick. Here are some of the email subjects we're seeing:

Subjects
-----------
Read his SMS
The world's most advanced sms reading program
Now, It's possible to read other people's SMS
Read other people's SMS online
You can read anyone's SMS

The email bodies point to the websites with lines like these:

Do you trust her? http://smsclubnet.com/
You can read anyone's SMS http://virtualesms.com
Do you really trust her? http://www.freecolorsms.com
Do you really trust him? http://downloadfreesms.com/
Are you ready to know the truth? http://smsclubnet.com
Are you sure you want to know? http://smsclubnet.com

The webpage you visit looks like this:



The malware which you can download from the page is recognized by 13 of the 39 Anti-Virus products tested according to this VirusTotal Report.


File size: 419840 bytes
MD5...: 8623f18666be9d480710b29eab3b796a

The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever. If you have good contact information for "Ename.com", we really could use an introduction, thank you! No one answers their "1000@ename.com" email address, but perhaps a Chinese speaker might call them at +86.5922669769 ? ? ?

The complete list of NEW domain names created for this round of Waledac are:

smspianeta.com
miosmsclub.com
downloadfreesms.com
virtualesms.com
chinamobilesms.com
freeservesms.com
freecolorsms.com
smsclubnet.com

But a great number of the previous domains are also still live, and still serving Waledac, including:

adoresongs.com
antiterroris.com
bestadore.com
bestcouponfree.com
bestjournalguide.com
bestlifeblog.com
bestlovehelp.com
bestlovelong.com
bestusablog.com
bluevalentineonline.com
breakingnewsltd.com
chatloveonline.com
cherishletter.com
codecouponsite.com
easyworldnews.com
funloveonline.com
funnyvalentinessite.com
goodnewsdigital.com
goodnewsreview.com
greatcouponclub.com
greatsalesgroup.com
greatsvalentine.com
lovecentralonline.com
lovelifeportal.com
mobilephotoblog.com
photoblogsite.com
romanticsloving.com
spacemynews.com
thecoupondiscount.com
thevalentinelovers.com
tntbreakingnews.com
urbanfear.com
usabreakingnews.com
wirelessvalentineday.com
worldlovelife.com
worshiplove.com
youradore.com
yourgreatlove.com
yourvalentineday.com
yourvalnetinepoems.com

If you have contact at Ename.com, these ALL need killed, thank you! They are all now distributing the new "SMS Spy" version of Waledac.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in malware, spam, waledac | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Digital Certificate Spammer Goes for Google Adwords
    From late May until last week, the Digital Certificate Malware spammer has been targeting banking brands. That has changed with last week...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Beware Weekend Facebook Scam!
    The cybercriminals seem to have completed their Black Friday shopping and returned to work this morning with a new Facebook scam. Its proba...
  • What does a National Cyber Range do?
    This week Aviation Week ran a story called DARPA Unveils Cyber Warfare Range . The article quotes Rance Walleston, the director of BAE Syst...
  • 2008: Looking back on a Year of Spam and Malware
    Happy New Year! As we get ready for the New Year, there are quite a few security folks making predictions for 2009. I think my friend Dan...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (93)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ▼  April (7)
      • Waledac Moving on to . . . Canadian Pharmacy?
      • President Obama's CTO: Aneesh Chopra
      • Waledac shifts to SMS Spy program
      • New Drug sites avoid Visa and MasterCard, Sell Hyd...
      • Is There a Conficker E? Waledac makes a move...
      • Microsoft Security Intelligence Report 2H08
      • Conficker Fears spread fake AV products
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile