Waledac Offering a Fake SMS Spying Tool

The Waledac botnet has been actively used to push malware since last year.The tactics employed by Waledac are so similar to the old Storm Worm that we have reason to believe they are closely connected.Last night, the websites used to push Waledac infections got an overhaul.We started seeing infection reports of filenames like sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.When we went searching, we noticed that the Waledac sites now looked like this:Nice graphics, jerks.Anyway, these sites had domain names like downloadfreesms.com, chinamobilesms.com and smsclubnet.com.If you check the DNS records for these domains, you'll notice that they have a time-to-live set to zero. And they use that to change their IP address every time you query it. This is fast fluxing in effect.Lets monitor the IP address of smsclubnet.com for two minutes: Time    IP 11:00:17    118.232.218.209 11:00:22    211.105.220.204 11:00:28    121.179.73.185 11:00:33    124.8.89.29 11:00:38    69.55.30.158 11:00:44    116.127.184.49 11:00:49    201.42.136.214 11:00:54    89.35.18.27 11:01:00    24.77.250.131 (continue reading...)