Two years ago, Microsoft took down a nasty botnet named Waledac in what was a pretty unprecedented move at the time. At the time, Microsoft teamed up with several other interested parties and went to U.S. Federal Court, securing a warrant that forced VeriSign to shut down the 277 .com domains that served as the connection between the command and control (C&C) servers and the 70,000-90,000 zombie PCs that were under the control of Waledac.
At the time, Microsoft teamed up with Shadowserver, the University of Washington and others to launch a stealth attack against the botnet, intercepting the hybrid peer-to-peer HTTP communications between the botnet and its zombies, this after researchers in Europe opened the door for the attack by infiltrating the botnet.
Waledac, which was a variant itself of the Storm botnet, was probably long forgotten in the wake of other bots named Kelihos, Coreflood and Rustock, each of which has suffered its own demise in the past year or so. Like other botnets of the time, Waledac was heavy into spamming, and that hasn’t changed in this variant. What has changed, however, is that the resurrected version has a few new tools in its arsenal, something that has researchers a little worried.
In its last iteration, which was already version 2 of Storm, Waledac was notorious for its ability to send out 1.5 billion spam e-mail messages a day, in the usual craptastic cadre of spam specific topics: fake products, stock spam scams, online pharmacy junk, and big money for little work job scams.
If that wasn’t bad enough, according to darkreading.com, researchers say the new version of the malware not only sends spam, “but also steals passwords and other credentials: It can sniff for FTP, POP3, and SMTP user credentials, as well as pilfer .dat files for FTP and BitCoin.” Also according to darkreading.com, it’s the first time researchers have “spotted Waledac malware doing more than spam.” Says researcher Wade Williamson, “it is the first time that we have seen it. There have been other reports of Waledac popping up that were doing similar things, but the version of Waledac that was taken down by Microsoft was not stealing passwords.”
The researchers were able to identify the new malware as a Waledac variant because of the C&C model, which was identical to the version taken down by Microsoft in March of 2010. “We were able to match specific quirks in the code based on how the bot handles specific types of communications,” he says. “What’s unclear, however, is whether it’s the same gang that ran Waledac or another group who got access to the code.” Furthermore, it doesn’t appear that this Waledac has any impact on the domains controlled by Microsoft after the 2010 takedown. Says Williamson, “this looks like a restart.”
According to PC World Magazine, Waledac has indeed been dead for two years, quoting e-threats analyst Bogdan Botezatu, “we have closely monitored the Web space during international events such as the deaths of political leaders and calamities – moments when the Waledac botnet would run at peak capacity before the takedown and did not notice any malicious activity on that front.”
Microsoft also weighed in on the situation, stating, “since taking down the Waledac botnet in 2010, the botnet remains dead and Microsoft continues to control the domains once used by the botnet’s operators. We also regularly work with ISPs and CERTs around the world to help people remove the Waledac malware and regain control of their computers. Meanwhile, we constantly monitor evolving threats, including variants of botnets we have taken down as well as emerging threats…we also follow our botnet cases wherever they lead us to hold those responsible accountable for their actions.”
Some researchers have identified the new malware’s distribution as occurring through web sessions on compromised websites, but Botezatu believes that’s only part of the problem. “What it is sure is the fact that the newly added functionalities (email and FTP credentials harvesting) will contribute to an explosive development of the new botnet. FTP accounts will likely be used to accommodate binary copies of the bots, while the e-mail accounts will be used to propagate spam through not-yet-blacklisted mail servers.”
He strongly recommends antispam and antivirus solutions as means to mitigate the risk. “We also advise that users rely on SFTP and SSL when connecting to FTP and mail servers, respectively, in order to minimize the risk of network sniffing.”