Reseachers discovered a trove of stolen e-mail passwords and FTP credentials.
Last year, Microsoft made a
splash when it led a legal charge against Waledac's operators and gained
control of 276 domains belonging to the botnet. But
Waledac does not die easily,
something
underscored recently by researchers at The Last Line of Defense, which
uncovered a trove of nearly 124,000 FTP credentials stolen by the botnet.
The login credentials to the
FTP servers are a key part of Waledac's operation. According to The Last Line
of Defense, the botnet's operators are using an automated program to log in to
those servers to redirect users to sites that serve malware or promote cheap
pharmaceuticals. In January, researchers observed 222 Websites, containing
9,447 pages that had been compromised.
Most of the sites
were relatively low-traffic, Brett Stone-Gross, a threat analyst for
The Last Line of Defense, told eWEEK.
"The category of (the) sites
was all across the board, including personal Websites, SMBs, adult, religion,
etc.," he said.
At the start of the year,
security pros linked Waledac to an e-card spam campaign that was making
the rounds on the Internet. Waledac's
resurrection followed legal
maneuvering by
Microsoft, which won a decision against the botnet's masterminds last
September. Once capable of sending out more than 1.5 billion spam messages a
day, the number of unique infected IP addresses dropped to 58,000 by Aug. 30,
2010, Microsoft said in September.
"Microsoft was previously
able to take down the Waledac infrastructure so that infected hosts could no
longer communicate with the botnet controllers," Stone-Gross said. "However,
those behind the Waledac operation (once again) used their expertise in social
engineering to propagate their malware through greeting cards, in order to
recruit machines into the botnet with a new command-and-control center."
The Last Line of Defense is
working with a number of organizations to notify the victims, he said.
In the event FTP credentials
are stolen, organizations should not only move to change the
relevant passwords but also the IP addresses of the servers involved,
advised Roy Adar, vice president of product management for Cyber-Ark.
But FTP credentials
were not the only thing that was found. Researchers also discovered
500,000 stolen passwords for POP3 e-mail accounts. These credentials are known
to be used for "high-quality" spam campaigns, Stone-Gross
wrote in a blog post. The technique, he added,
abuses legitimate mail servers by authenticating as the victim through the
SMTP-AUTH protocol to send spam messages, thereby making IP-based filtering
considerably more difficult.
"In addition to the
compromised credentials, we also had visibility of newly infected nodes
connecting to a bootstrap Command-and-Control (C&C) server," he blogged.
"The bootstrap server speaks a proprietary protocol known as ANMP, and
disseminates a list of router nodes (other compromised hosts) to infected
machines. Note that every node generates a random 16 byte ID, that is reported
back to Waledac's C&Cs. Our analysis indicates that the bootstrap
service first appeared online on December 3, 2010, well before the New Year's
spam campaign."
In total, he blogged, there
were 12,249 unique node IDs connecting to the bootstrap C&C, and 13,070
router IDs.
"The Waledac botnet remains
just a shadow of its former self for now, but that's likely to change given the
number of compromised accounts that the Waledac crew possesses," Stone-Gross
wrote.
Email
Print
