Starting during the 8pm MST hour on Thursday night (January 22nd) our Threat Operations Center observed a new Valentine's Day themed spam that appears to be coming from the Waledac botnet (new Storm botnet) gang, following in the tradition of Storm by sending out holiday themed emails further lending validation to the theory that the folks who are behind Waledac are likely the same ones that created Storm.

Emails are short and sweet one liners with content like "Me and You", "In Your Arms", and "With all my love" followed by a web site link.  No malware is attached to the email itself.  Subject lines also have a love theme to them.  Some of the examples that our Threat Operations Center have observed include "Falling in love with you", "I belong to you", and "I love being in love with you".  Once the link in the email is clicked the user is brought to a site that has an image of 12 hearts and has the bold text "Guess, which one is for you?" and looks like the following:




Clicking anywhere within the hearts is a link to an executable file that the user can download an install to infect themselves.  Infection does not occur merely by visiting the page.  The executable file (e.g. you.exe or love.exe) must be run to install the malware. 

This page is also using Google Analytics to track number of visitors and where those visitors are coming from.

Volumes have been modest, but have accounted for about 10% of the malicious email that we have seen within the past 24 hours.  Traffic has been steadily Increasing since they were first observed as illustrated in the graph below:




Clearly the old Storm folks are working as hard as they can in efforts to build up their new botnet and are following the old tried and true methods of centering their social engineering tactics around holiday themes.  It was very successful for them the last time around so why fix what isn't broken, right?  Nevertheless, it still impresses me that tactics like this continue to work and be so effective despite how many times it gets recycled.


*** UPDATE 1/23/2009 3:20pm MST *** Volumes have been steadily increasing over the course of the day.  Average volume since 9am is about 11k per hour.  We will continue to monitor over the course of the weekend and will post updates as necessary.




*** UPDATE 1/26/2009 8:30am MST *** No significant morphs of this tactic over the weekend.  The folks over at shadowserver.org have posted a list of the domains being spamvertised as part of this campaign.  If you are not already doing so, you may want to consider blocking access to them.  Volumes of this email have been hovering at around 4,000 per hour for the last 36 hours and appeared to take a brief 5 hour hiatus Saturday afternoon between the hours of 2-7pm MST.  Maybe they were watching the NHL All Star Festivities :)  Current volume graph below ***