The gang behind the Nuwar threat (also called Storm Worm or Zhelatin) has been very active during the holidays.  They have been sending numerous waves of spam in an attempt to infect as many users as possible. The gang is taking advantage of the fact that a lot of researchers are taking some time off and might be slower to react during this period of the year.  They might also catch users off guard since the holidays is the period of the year when many trade electronic cards.

The latest spam run uses a list of topics related to the New Year.  Once again, the objective is to convince users into opening a web link and downloading a malicious file.  This time, the web page that is displayed to the user does not have any embedded exploits.  It is a very basic text inviting the user into downloading and executing a file.  The files can have various names including happy2008.exe, happynewyear2008.exe, happy-2008.exe, and so on.

 Nuwar’s authors are spending a lot of efforts into modifying their program in an attempt to evade antivirus detection when they launch a spam run.  To do so, they are modifying the packer of the malware very quickly.  The threat still uses rootkit techniques to hide its presence after infection.  The latest variants we have analyzed create a driver, a configuration file and copy its executable in the windowssystem32 folder.  All three file names start with “kirjtkkd” and have some random characters appended to them.

 The objective behind Nuwar’s operation seems to be the construction of a strong and reliable network of infected hosts.  The controllers of this botnet are making huge sums of money by using the infected computers to send spam and even install other malware.  As we have stated before, the creators and controllers of Nuwar have not invented anything new in the field of malware.  Their strength is that they are using every tool they have in a very effective and coordinated way.  One of the advantages of malware authors is time, as we have seen with Nuwar.  They can remain quiet for weeks preparing their next operation and start their attack when their adversaries are less expecting it.

Pierre-Marc Bureau
Researcher