As Valentine's Day is approaching the criminals behind Win32/Waledac have increased their activity. The Valentine campaign started some time ago but the interesting part is only starting for us.  The Waledac botnet has been using fast flux for some time now.  This means that the IP addresses of the websites used to distribute this malware are changed rapidly in an effort to avoid tracking of malicious servers.  On the other hand, they have recently started using server side polymorphism.

The Waledac servers are now distributing malware variants that are dynamically generated.  Almost every file that is downloaded from one of their server is different.  This technique has been used by other malware families in the past, like Storm, to evade antivirus signature detection.  We are expecting to see hundreds of different Waledac variants being distributed every day as opposed to less than ten in the previous weeks.  On the positive, Waledac also shares the same problems as Storm in the sense that its packer is fairly easy to get past, making analysis and generic detection easier.

 

Pierre-Marc Bureau
Researcher