Koobface joined the Twittersphere, and the Twittersphere is fighting back. It's good to see response from the social networking infrastructure.

Over the past couple of months, the Waledac spam/botnet effort seemed to be dwindling. A large software company attempted to take credit for cleaning up the "ecosystem" of Waledac with their cleanup tool release.

In the meantime, Waledac's presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.

Not surprisingly, spammers are taking advantage of the current swine flu news topic to link to the very same Waledac-style Canadian pharmacy sites that we have presented in previous posts.

The Waledac gang continues to host more malicious sites, growing their botnet. It seems unusual, given the work that effort underway for spreading the bot through other means.

Nonetheless, potential victims/visitors are presented with a new SMS spy offer:

We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively.

Fill in the blank, depending on where you are. This new Waledac scheme attempts to play on fear, but the U.S. Homeland Security Advisory probably is not going to be rasied above orange because of it. This newest malware distribution campaign emails out shocking and phony reports of terrorism. A link within the message redirects a user's browser to a phony Reuters video. The Waledac distributors also are continuing to use geoIP locators to identify the location of a user browsing their sites, and customizing their messages littered with poor english grammar.

"Get thee to heaven, Beatrice, get thee to heaven. Hell's no place for maids." Beatrice wasn't a spammer.

Spam operations are progressing indeed. Dancho Danchev recently posted insightful images into an active managed spam service.

It's always disappointing to see traditional antivirus scanners miss malware detections, especially those in the formal WildList (the WildList is not dead! Well, not completely). It does and will happen, even with the best performing scanners. And witnessing the detection rates and delays in AV detection updates for various malware families that are being run on end user systems but prevented by behavioral protection can be a bit overwhelming. Layered protection is an important part of keeping a system secure.