Not surprisingly, spammers are taking advantage of the current swine flu news topic to link to the very same Waledac-style Canadian pharmacy sites that we have presented in previous posts.
This news event campaigning is reminscent of the Storm-cum-Waledac groups’ efforts over the past couple of years. Nothing new, nothing ancient here. We have not seen any client side exploit sites set up for this event just yet and speculate that the Waledac group’s botnet has reached an economy of scale and attracted some unwanted attention via inclusion of the bot in the Conficker and Koobface efforts.
Here is a current storefront matching previous Waledac spammed Canadian pharmacy storefronts. While they have moved on from registering through Xin Net Technology in China, the randomized domain names are being generated with the same patterns under a similar provider: