Malware purveyors skeeve around the Inauguration

New Administration, new(ish) botnet? Maybe the perpetrators of Waledac have that sort of sense of history. They're definitely taking advantage of everyone else's sense of the importance of the moment.

The latest malware pitch appears tailored to would-be purchasers of commemorative gear. According to analysts at MessageLabs, fully 0.2% of all spam on Tuesday is "related" to the new president and the activities around his inauguration.

In particular, analysts have noticed that certain messages -- many with subject lines offering those "commemorative coins" that seem to sprout life weeks around big events -- are pointing people to a site that looks a bit like the now-finished change.org. (Even cheekier: In the hours before the inauguration, the spam claimed that Obama had decided not to be president after all.)

The sites, which have URLs such as superobamaonline.com, thebaracksite.com and greatobamaguide.com, point in turn to unclean files such as pdf.exe, file.exe, news.exe and ecard.exe. Canny readers will discern at once that those are all executables.

Paul Wood, a senior analyst with MessageLabs, also notes that there's some trickery afoot in the form of wildcard DNS domains, which allow many different subdomains to resolve to the same IP address. "Wildcards in URLs allow the spammer to construct many variations of a Web site without having to register each and every one giving spammers more power and reach with less legwork as a single wildcard will resolve any sub-domain that hasn't been explicitly registered," he says.

Waledac, meanwhile, is a name you'll be getting to know in the new year. Some researchers think it's a descendant of the old (and now nearly defunct) Storm botnet, which was responsible for about one-fifth of all spam in 2008 before being shot down late in the year. (Other researchers aren't so sure about the bloodline, but don't dispute the similar potential for mayhem.) The Win32 worm harvests and forwards password information to one of several dozen IP addresses, and can be remotely launched or upgraded.