14 DAY TRIAL // Security researchers warn of a new spam campaign triggered by the Waledac computer worm. The e-mails claim to be promoting a program that is able to spy on other people's SMS messages, which is, in fact, an installer for the worm.
Waledac is viewed by the security professionals as the successor of the infamous Storm worm, one of the most successful botnets to date that was inexplicably left to die out by its creators a while back. Waledac's spam campaigns usually capitalize on breaking news, global events, or holidays, which are bound to attract a lot of public interest.
This latest scheme somewhat deviates from that general approach and preys on people's suspicious nature instead. The e-mails with subjects like "Does your partner truly love you?," or "You can read anyone's SMS," are trying to entice users into visiting the various links included.
Clicking on the URLs will open a page, which is a rip-off of a website selling a legit SMS-spying application. Unsuspecting users who attempt to download the trial version of the program from the fake page will be served a file bearing different names, such as sms.exe, freetrial.exe, and smstrap.exe.
The executable file is actually an installer for the Waledac worm and, when this campaign was first spotted, only 13 of the 39 anti-virus programs on VirusTotal were able to detect it. Malware researchers from anti-virus vendor Trend Micro point out that the Waledac worm is constantly mutating and that a large number of variants is running in the wild.
Gary Warner, director of research in computer forensics at the University of Alabama at Birminghamm (UAB), has identified a large number of domains associated with this and other Waledac campaigns. However, he notes that, "The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever."
Panda Security Malware Researcher Asier Martínez notes that the Waledac activity has been spiking in the past three months. "Taking into account the data regarding the first two weeks of April, there has been an increase of almost 200% comparing with February's figures," he writes.
Interestingly enough, spam analysts from security vendor Websense have detected a similar campaign promoting a fake SMS-reading application called SMS Reader V4.0. Some vendors identify the executable as a Trojan downloader for Cutwail, and this particular spam seems to specifically target Russian-speaking users.