Have a spam-free new year

Written by Dan Blacharski on January 7, 2009

According to a report on shadowserver.org, a new Trojan, which is a variant of Waledac, has appeared in spam that invites recipients to go to a web site to view a Christmas e-card. The spam claims that the victim has received an e-card. When the victim goes to the web site, they download an executable (ecard.exe or postcard.exe), which triggers the release of the Waledac Trojan. There are several different domains to where the victim may be directed, all with innocuous names like “bestchristmascard.com” or “livechristmascard.com”.

Unfortuantely the multiple domains are difficult to shut down because they are part of a fast flux network, and every time the domain is resolved a new IP address is returned.

According to the report, there are striking similarities to the Storm worm, including the use of a fast flux network, multiple name servers for each domain, the use of the ecard.exe and postcard.exe files which were also used by Storm, and a drive-by exploit in domains.

Of course, the best defense is education, and users should know better than to click on executables contained in email from suspicious sources, but it happens. Shadowserver.org provides a list of domains associated with the Waledac Trojan, and even though the holiday season is now officially over, blocking the domains would be a good move. I’m reprinting the list of domains here:

 bestchristmascard.com
 blackchristmascard.com
 cardnewyear.com
 cheapdecember.com
 christmaslightsnow.com
 decemberchristmas.com
 directchristmasgift.com
 freechristmassite.com
 freechristmasworld.com
 freedecember.com
 funnychristmasguide.com
 holidayxmas.com
 itsfatherchristmas.com
 justchristmasgift.com
 livechristmascard.com
 livechristmasgift.com
 mirabellaclub.com
 mirabellaonline.com
 newlifeyearsite.com
 newmediayearguide.com
 newyearcardcompany.com
 newyearcardfree.com
 newyearcardonline.com
 newyearcardservice.com
 superchristmasday.com
 superchristmaslights.com
 superyearcard.com
 themirabelladirect.com
 themirabellahome.com
 whitewhitechristmas.com
 yourchristmaslights.com
 yourdecember.com
 youryearcard.com

Liked this post? Share it!
  • Digg
  • StumbleUpon
  • del.icio.us
  • Slashdot
  • Technorati
  • Reddit
  • NewsVine
  • Facebook
  • Google
  • TwitThis
  • Mixx
  • Furl
  • Live
  • Ma.gnolia
Bookmark the permalink. Follow any comments here with the RSS feed for this post.

Related Posts

Leave a Reply