14 DAY TRIAL // A wave of rogue private messages received by many Facebook users directs them to malicious websites serving a version of the Waledac trojan.
According to scam tracking website Facecrooks, the messages read “I got you a surprise www.[random_name].blogspot.com”
Several different blogspot URLs were observed in these messages, suggesting that the people behind this campaign have registered many accounts in advance and rotate them as soon as they get suspended.
Visiting the websites triggers a prompt that reads “Download photoalbum” and serves an executable file called photo.exe, which is actually a Waledac variant.
According to Symantec, Waledac “is a worm that spreads by sending emails that contain links to copies of itself. It also sends spam, downloads other threats, and operates as part of a botnet.”
In its description of the threats, the antivirus vendor also notes that Waledac authors commonly organize social engineering-based campaigns in order to trick users into installing it.
The interesting fact is that Waledac was believed to be more or less dead or abandoned by its creators. The botnet was one of the biggest sources of spam in 2009, but Microsoft, working together with Symantec, the Shadowserver Foundation, the University of Washington and others, managed to severely cripple it.
The Redmond software giant then took the issue to the courts, which gave it permission to close down or sieze the domains used by the worm as command and control centers.
In addition to sending lots of spam to email addresses found on the system in a variety of place and files, the worm also steals other information and uploads it to one of the tens of IP addresses hardcoded into the malware.
Users are advised to also keep their antivirus programs up to date at all times and to always treat private messages containing links with suspicion.