Over the past several weeks we have been watching the Waledac botnet go through a couple of different phases.  Back in late January we reported on Waledac resorting back to its familiar roots of sending out spam to malware infected web sites.  Frequently these messages were tied to some sort of holiday and used e-cards as a lure to get potential victims to open the email and visit a malicious web site. 

We saw a couple of different iterations of their most recent Valentine's Day campaigns.  One was for a Valentine Devkit (see above link) and another was a lure for the ever popular e-card.  Since February 22nd, Waledac has taken a bit of a different twist on its typical holiday themes and have focused their efforts on something just as timely; the economy.  Making a copy of a legitimate web site that focuses on helping you save money (who wouldn't want to do that given current economic conditions?), couponizer.com, the Waledac folks sent out emails linking to their spoofed lookalike sites.  As with many other Waledac/Storm generated web sites, just about everything on the page is an image.  This is generally a dead giveaway to folks who have been tracking Waledac/Storm for quite some time, but is a minor fact that is likely lost on most users who are unaware they are being duped.  These images link to a binary executable file where when downloaded and run by the user enlist their PC into the botnet. 

Below is a screenshot representation of the fake couponizer site:



Take a moment to visit the real couponizer.com and you will notice that the look alike and legitimate sites bear some similarity.

Since this new variant launched the MX Logic Threat Operations Center has been processing about 15,000 of these messages per hour, a trend that continues 5 days after the tactic's original launch.

Below is a graph that illustrates volumes and shifts in Waledac tactics since 1/23/2009 (the date we started tracking the Devkit variant):



You'll notice that there is no overlap in tactics as Waledac shifts from one template to the next.  The Valentine's e-card tactic started on February 9th and the latest Couponizer spoof started on February 22nd.

Another interesting thing to notice from the graph is that we actually saw more Valentine's day e-card spam coming from Waledac AFTER Valentine's Day than before. 

Nevertheless, it is clear that the Waledac folks are working very hard to build their botnet back up to levels that it was at prior to Microsoft releasing its September  2007 MSRT update which Microsoft claims was responsible for mostly taking down its predecessor, Storm.  This botnet clearly isn't just about holidays anymore.