Waledac bot pitches nearby terrorist bombing to dupe users
Pitch customized for recipient's location for 'more compelling' trickery, says researcher
Computerworld - Hackers trying to trick users into downloading the Waledac Trojan horse are customizing their bait to the recipient's location, upping the social engineering ante yet again, a security researcher said today.
The latest round of spam messages from Waledac's makers trumpets news of a supposed bomb blast, said Paul Royal, principal researcher at Web security company Purewire Inc. The link included in the spam -- which comes armed with subject headings such as "Bomb was blasted in your town" and "At least 18 killed in your city" -- leads to a fake Reuters news service site, and a story that claims local fatalities from a bombing attack.
"Authorities suggested that the explosion was caused by a 'dirty' bomb," one version of the bogus site read. The site then uses the now-standard ruse of asking the user to download and install an update to Adobe System Inc.'s Flash Player to view video. The file is nothing of the sort but is actually the Waledac Trojan horse.
"Within the last 24 to 48 hours, Waledac has switched to a fake Reuters news story," said Royal. In itself, that's nothing new: Attackers have leveraged current events to get users to download malware for years. "What's somewhat novel here is that the Waledac operators have added the notion of locality," he said.
"Either at the malware distribution point or somewhere upstream from the user, they look at the IP address, use that to get your location and then feed that into the news story so it says that the bomb blast was near a market in your city."
When Royal used an IP address in Chile, for example, he was served up with a link to a story that claimed the bombing had taken place in Santiago, that country's largest city and capital. "The content becomes more compelling," Royal said, when it poses as local news.
Waledac has become famous for using the cutting-edge social engineering tactics, one of the reasons why security researchers almost unanimously believe that its makers are from the group that operated the infamous Storm botnet last year.
"Storm's operators always chose to exploit things that were temporally relevant," said Royal. "And Waledac shows the same unique insight into using social engineering and what's current in the news."
Although Waledac has been active for several months, Royal noted that it has yet to build up a botnet that can rival Storm at its peak. "It's nowhere near as big," he said, noting that Purewire had pegged Storm as controlling as many as 400,000 PCs in late 2007. "It's harder to get an accurate number for Waledac," he noted, "but our best guess is that it's in the 25,000-to-50,000 range."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts