• United States



by Senior Editor

Is Storm/Waldec botnet part of New Year spam campaign?

Jan 03, 20112 mins
BotnetsCybercrimeData and Information Security

Researchers with Shadowserver Foundation think they are seeing some new tricks from an old botnet. And it could mean a comeback in 2011

The Storm/Waldec botnet may be behind a new spam campaign that was recently launched to kick off 2011. According to researchers with Shadowserver Foundation, the campaign is designed to look like a New Year’s-themed e-card. Users receive a message that says “Charley has created a New Year e-card. To view this page please click here.” The user is then directed to a server that asks them to download a Flash player, which in turn installs malware onto the user’s machine.

Get a behind the scenes look at how the Shadowserver Foundation works in The Botnet Hunters

“At first it looked like your regular old holiday e-card scams that have been around for years. However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac,” said Steven Adair of Shadowserver in a post. “If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0.”

According to Shadowserver, among some of the newer components of the latest spam effort are new malicious domains that are fast flux, links are to several hacked websites hosting HTML pages that refresh to new malicious domains, and malware that’s been updated to look a bit more like legitimate than past variants.

More about botnets

“We have not done any analysis to see if there are actually any pieces of the code that were directly taken or updated from the Storm Worm or Waledac code,” the post states. “However, whether or not the code is the same or not, this appears to be the next generation of Storm Worm and Waledac. We are just saying it could be Storm Worm 3.0, at least until someone gives it a better name. “

First detected in 2007, Storm botnet was responsible for large volumes of spam for more than two years until a decline in late 2008. Last April researchers with McAfee said rumors of a Stormbot 2 had been verified.