I’d like to thank the City of San Diego for welcoming me with a firework display last night. It was just what I needed after 22 hours in planes and airports. :-) Maybe just a little quieter next time? (London did much the same thing to me with its Millennium celebration.) It did look pretty good, though, and the people round the swimming pool next door seemed to be enjoying it.)
We have already mentioned some rather less welcome "firework displays", courtesy of the Waledac gang, who are trying to get potential victims to click on fake ‘videos’ that actually simply infect the victims’ machines using the keywords "Fourth of July", "Independence Day" and "Fireworks". The SANS Internet Storm Center Handler’s Diary gives a link to Pierre-Marc’s blog and to WebSense’s.
Shadowserver’s web page includes a list of the latest infective domains, as well as a link to a list of 244 (currently) domain names used by Waledac and best blocked or avoided. (There’s also a link to an alphabetized version with no comments that might be more useful for feeding directly to security software.)
Sudosecure.net have a posting that contains a similar screenshot to ours and Websense’s. However, there are also some past posts there on Waledac that you might find interesting. One of the interesting (if frustrating) aspects of the way in which a botnet develops is that to some extent, by simply reporting our observations we actually risk causing the criminals behind the bot to modify that behaviour. Specifically, we’ve seen this somewhat Heisenbergian effect from time to time in relation to Storm and Conficker, but in fact the bad guys have been watching us as closely as we watch them for a long time (even before malware authors became more interested in ROI – Return On Investment – than PoC – Proof of Concept).
What this means in practice, of course, is that now there’s so much information out there on the latest wave of Waledac attacks, it’s possible that the gang will introduce changes to their modus operandi. Such is the war of attrition in which we’re engaged…
And yes, I do know that the application of Heisenberg’s uncertainty principle to social phenomena can be misleading: however, its use in inappropriate contexts is so well established now, I figured I might as well get in the reference before someone else does, and should get brownie points for also working in an also not quite accurate – but common - use of a concept from game theory. ;-)
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence