Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family. We estimate the size of Waledac's botnet as tens of thousands of infected computers. We believe that more than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine's day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Special thanks to Joan Calvet from Ecole Polytechnique of Montreal for his help on this research.

Pierre-Marc Bureau
Senior Researcher