Yesterday, we started to receive reports of emails pretending to carry links to holiday cards.  These emails contain a link that points to a file named ecard.exe.  Of course, this executable is not a seasonal holiday card but malware.  The reason this wave of malware has attracted our attention is that it is very similar to the Storm Worm attacks we were seeing last year.

Although this attack uses fast-flux to make it harder to trace its web servers and a redirection page very similar to those used by Storm last year, this is not the resurrection of the Storm botnet.  Analysis of the binary proves it to be different to Storm.  It was programmed using a different programming language and includes different functionalities.  This malware, detected as a variant of Win32/Waledac by ESET Antivirus, has no peer-to-peer capabilities and uses an open-source packer instead of the custom packers used by Storm.  Also, the Waledac threat has cryptographic capabilities that were not present in Storm.

What we are observing today is proof that malware authors are learning from each other's errors and successes.  After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success.

Pierre-Marc Bureau