Microsoft believes a botnet linked by other researchers to the theft of nearly 124,000 FTP credentials is not Waledac, but a new botnet known as Kelihos.
Microsoft is contending the botnet other researchers have tied to the theft of FTP
server credentials is not Waledac but a close relative.
Microsoft is calling the botnet Kelihos. According to the
company, the botnet shares large portions of its code with
Waledac, and may be the result of collaboration.
"Microsoft researchers and security community researchers are seeing
striking similarities in the malware, which suggests that the Waledac
code was shared; on the other hand, there are enough substantial
customizations and changes to the code to suggest that a different
malware developer was the creator of Kelihos," explained T.J. Campana,
senior program manager for Microsoft's Digital Crimes Unit.
But security analyst Brett Stone-Gross is not so sure.
"Waledac 2.0 and Kelihos are the same botnet," said Stone-Gross,
threat analyst at LastLine. "The guys behind Kelihos
and Waledac are one and the same. The botnet's architecture,
malware and method of propagation are virtually identical."
Stone-Gross released information earlier
week linking what he called Waledac 2.0 to nearly 124,000 stolen
FTP credentials as well as a cache of almost 500,000
stolen credentials for POP3 e-mail accounts. According to
LastLine, the botnet's operators are using an automated program to log
in to the FTP servers in order to redirect users to sites serving
malware or promoting cheap pharmaceuticals. Last month, 222 Websites
containing 9,447 pages were found to have been compromised.
The news followed Microsoft's takedown of Waledac last year in a court case
that grew out of a larger effort known as Operation b49
As a result of the court action, the company seized control of 276
domains used by Waledac - none of which are being communicated
with by the new botnet, according to Microsoft's Malware Protection
"The most striking similarities that indicate a shared codebase can
be seen in the botnet's function," Campana said. "Both Microsoft
Digital Crimes Unit staff and those working on this issue in the
security community have observed very similar communication mechanisms
between the infected machines in Kelihos, and the communication
mechanisms in Waledac."
An analysis by MMPC
also revealed the botnet is using fast-flux in much the same way as Waledac as well.
"Criminals and criminal networks often use and re-use the same code
as way to save time or effort," Campana said. "In this specific case,
although similar code is used, the botnets have two entirely different
infrastructures which makes them two different botnets."