Waledac Reloaded: Trojan.Rloader.B

Recently, we blogged about systems compromised by W32.Virut that were observed downloading W32.Waledac.D (Kelihos). Symantec has followed the Waledac evolution for a number of years and have observed the botnet showing considerable resilience against take-down efforts conducted in the past. Waledac is traditionally known as a spamming botnet which has been observed to send up to 2000 malicious emails on a daily basis.


Figure 1. W32.Waledac.D spam

In the past two months, we have observed Waledac infection numbers go from strength to strength, with the majority of infections originating in the United States.


Figure 2. Top 10 countries with computers compromised by W32.Waledac.D

Computers compromised with W32.Waledac.D were also distributing additional malware that had initially been detected as Backdoor.Tidserv. However, following our analysis, we have discovered it to be a new variant of Trojan.Rloader, dubbed Trojan.Rloader.B. Similar to its older brother, Trojan.Rloader.B’s main functionality revolves around click-fraud.


Figure 3. Trojan.Rloader.B attack steps

When Trojan.Rloader.B is first executed on the victim’s computer, it ensures that it is running on a physical machine and terminates itself if it is found to be running within a virtual machine. Virtual machines frequently run antivirus software and tools that can be used to analyze the malware. Next, it collects information about the compromised host and sends it back to the command-and-control server to register the compromised computer. At this point, it modifies the Windows host file to redirect a number of popular search engines to a malicious IP address which displays pop-up advertisements embedded within search results.

Trojan.Rloader.B also targets Mozilla Firefox and Internet Explorer Web browsers by modifying their preferences to redirect search requests to http://findgala.com. This is also done to display advertisements on the compromised computer.

During our investigation, we noticed Trojan.Rloader.B dropping a second click-fraud component previously detected as Trojan.Spachanel, which we discussed in a previous blog. When executed, Trojan.Spachanel injects JavaScript to load pop-up advertisements within the compromised browser.


Figure 4. Pop-up advertisement example

Symantec has detections in place for the new Rloader variant as Trojan.Rloader.B. We have updated the detections for Spachanel click-fraud modules as Trojan.Spachanel. Symantec will continue to monitor the activities of the Waledac botnet while ensuring the best possible protection is in place for our customers. To aid in protection against botnet infection, Symantec recommends that you employ the latest Symantec technologies.