Waledac Gets Cozy with Virut

Recently, we blogged about the file-infector virus known as W32.Virut and the botnet’s return to distributing new payloads. In the blog, we estimated that the Virut botnet currently consists of 308,000 unique Virut clients active in a single day. It was also noted that Virut had been observed distributing payloads with the functionality to send out email spam for advertisements and fraud as well as other malicious purposes.

During our further analysis of recent Virut samples, we observed the virus downloading a botnet variant named Waledac (also know Kelihos), which Symantec detects as W32.Waledac.D. The Waledac family is a threat that has been monitored by Symantec for many years and was featured in numerous blogs as well as a white paper. In the past, the Waledac botnet has also been subject to takedown efforts from the security community to curtail its operations.  On each occasion the miscreants behind the botnet were able to recover from these disruptions and continue their operations, distributing spam and performing other malicious functions.

Symantec telemetry data for the past month (Figure 1) shows that we have seen the number of computers infected with W32.Waledac.D continue to increase, with the United States currently having the largest concentration of infections.

Figure 1. Waledac.D global detections, based on recent telemetry

Once the computer has been compromised, it sends spam emails through servers from a list that it receives from the command servers. During our analysis in a controlled environment, we observed a compromised computer sending approximately 2,000 emails per hour. Conservatively, if a quarter of the estimated 308,000 computers infected with W32.Virut download W32.Waledac.D, then potentially billions of spam emails can be sent from these computers. The following table contains some basic calculations on the estimated volume of emails from this campaign with totals ranging from 1.2 billion to 3.6 billion spam emails per day.

Table 1. Estimated volume of emails sent from this campaign

The emails generated consisted of one of sixteen unique subject lines and one of thirteen unique email message bodies.

The following image (Figure 2) contains some sample screenshots generated from the spam emails in this campaign. Some of the emails lead to a Canadian online pharmacy spam and others lead to fake performance-enhancing drugs.

Figure 2. Screenshots of spam emails from the W32.Waledac.D campaign

The coexistence of Virut and Waledac on a single computer is further example of malware groups using affiliate programs to spread their threats, and that threats can be linked and coexist on an already compromised computer.

From our recent analysis of one particular compromised computer, the volume of spam that can be sent from each bot is quite significant and the combination of multiple compromised computers could potentially lead to billions of spam messages being sent out by W32.Waledac.D per day. Symantec Security Response will continue to monitor these threats and to update and add detections as we encounter new variants. To aid in protection against botnet infection, Symantec recommends that you employ the latest Symantec technologies.