Various anti-virus vendors have issued warnings regarding a new malware distribution campaign targeting Valentine's Day enthusiasts. The new variant of the Waledac worm is distributed through a spammed Web page, which prompts users to select their own cute, but infectious, Valentine's heart.
Waledac, also known as Iksmas, is considered by malware analysts the successor of what was known, until Conficker came along these past months, to be the world's most successful worm, more specifically Storm. After proving highly resilient against mass cleaning attempts or probing for years, the Storm botnet was basically left to die by its creators.
The researchers never pinpointed an exact reason as to why Storm was abandoned, but many speculated along the lines that its infrastructure was too outdated, compared with the new developments in the computer security threat landscape. Now, many of them claim that Waledac is the new creation of the Storm gang, as it displays much of the behavior and techniques employed by its late older brother.
Much as Storm, Waledac exploits people's interest in large social events and holidays in order to spread. “Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique,” Florabel Baetiong, anti-spam research engineer at Trend Micro, explains.
It was the case with Christmas and, more recently, with the Inauguration Day. Now, experts warn that Valentine's Day is targeted. “We knew it would be a matter of time, and here we have again spam messages related to this special day,” Oscar Cavada, malware analyst for PandaLabs, writes.
The worm propagation technique comes in two components. The first is a spam e-mail, which arrives in people's inboxes long before the actual holiday, which is another Storm-like tactic.
The e-mails have various love-related subjects, such as “I give my heart to you,” “Wanna kiss you,” “I belong to you,” or “You are the ONE.” Users are enticed to visit the contained malicious URLs through more heart-warming messages. The Web page the URLs point to is hosted on various domains, and displays several heart icons. A message that reads “Guess, which one is for you?,” suggests that the user should click on one of the pictures.
Obviously, this is not really a guessing game, as clicking on any of the cute hearts will have the same effect of prompting the download of an executable file. This file, which comes in different names, is the installer of the new Waledac worm variant. “The size of the files is always around 390Kb,” PandaLabs' Oscar Cavada points out.
Malware researchers for Lavasoft, the developer of the popular Ad-Aware anti-spyware/adware solution, warn that the worm's payload involves the download and installation of scareware. “After a few minutes, the known rogue MS Antispyware 2009 will appear and run on the system without the user’s permission,” they specify, concluding that “It’s a chain of social engineering tricks.”