This post was originally posted on the Microsoft Malware Protection Center blog.
Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro and TrojanDownloader:Win32/Rugzip variants.
Downloading and executing arbitrary files is not confined to malicious software. Waledac also attempts to download and install a version of the freely available packet capturing library "WinPcap". This spambot leverages the capability of the library to "sniff" network traffic, searching for credentials being transmitted as part of SMTP, POP, HTTP and FTP protocols.
In addition to what we mentioned in the previous blog that Waledac has been downloaded by variants of Win32/Bredolab, we have also seen Waledac being downloaded by Win32/Cutwail in the wild. Interestingly, the MMPC has recently identified Win32/Cutwail variants downloading the same rogue as Win32/Waledac, Win32/FakeSpypro (below it the skin for FakeSpypro rogue). Another piece of information about all things underground economy.
Now let's take a look at the MSRT telemetry after Waledac was added to MSRT in April. Waledac is the #24 most prevalent threat family this month. More than 20,000 distinct machines were detected with Waledac infection worldwide. The criminals behind Waledac seem to enjoy having the deployment mostly on XP. Note this is not normalized. As of today MSRT install base on Vista is about 37% the size of that on XP.
Factoring with the installbase, we came up with the following table of infection rate, or computer cleaned per thousand MSRT executions (CCM) widely used in Microsoft Security Intelligence Report. This table presents the top 25 Waledac infected countries, then sorted by CCM. Turkey has the highest infection rate, followed by Hungary, Switzerland and Australia.
More in my next post.