December 31, 2010

Yesterday's New Year email post is Storm/Waledac

Patrik Runald

Yesterday's post titled "New Year themed Malicious Email on the Prowl" and the emails mentioned were an early campaign done by what's now believed to be Storm v3 or Waledac v2. As our friends over at ShadowServer mention the campaign has now changed to be much more basic:

The URL in the email leads to lots of different sites, all compromised, where the user is immediately redirected using a <meta refresh> tag to one of the following domains:




Once on that page the user is presented with a really simple page that just asks them to download a fake Adobe Flash player: 


This simple page is not really what we've come to expect from Storm/Waledac who in previous attacks have used professional looking websites very relevant to the theme they've used. Here are some example: 

Halloween theme

NFL theme

Krackin' theme

Kitty Greeting Card theme


In very few cases we have seen the page contain an obfuscated JavaScript that try to use exploits to push the file to the user's PC. In most cases however the user is redirected again after 5 seconds, this time to a site that serve exploits although this site is not available right now.


A few other noteworthy things about this attack:

  • The domains it uses to serve the malware are fast-fluxing which means that when you request the URL it redirects to you a different IP address every time
  • The file itself is either server-side generated or just updated very frequently
  • AV coverage is pretty bad - 6/42 (14.3%)


The spam campaign itself is still ongoing and we'll keep monitoring this over the weekend to see how if the attack changes.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.