Symantec Goes Under the Hood of Waledac Botnet

By Brian Prince  |  Posted 2009-09-04 Print this article Print

From Valentine's Day to Independence Day, pretty much all the holidays this year have had at least one thing in common -- the Waledac botnet.

In a new paper (PDF) and a series of blog posts, Symantec researcher Gilou Tenebro offers a peek into what has made Waledac one of the most active botnets today. The paper and the blog posts take a long look at the botnet's operations, from its bootstrapping and armoring capabilities to its spamming techniques.

At the center of its success is Waledac's peer-to-peer capability, which makes it more resistant to ISP takedowns like the one that crippled Srizbi.

Most botnets still use the traditional command and control model to communicate with their bots -- something that gives them an advantage in ease of management at the cost of resiliency.

"The conventional method has the advantage of speed -- it allows a botmaster to perform a task very quickly," said Gerry Egan, director of Symantec Security Response. "In contrast, the P2P model moves more slowly but makes the botnet more resilient to takedown attempts."

Egan isn't sure how many bots make up Waledac at this point, explaining that its P2P communication makes an exact count difficult. The botnet has grown by infecting users with W32.Waledac, a worm that spreads by sending e-mail containing links to copies of itself. It also opens a backdoor on the compromised computer.

Waledac makes use of fast-flux hosting for its domains, meaning that in a short period of time one Waledac domain can resolve to multiple hosts that can be acting merely as proxies, Tenebro explained on his blog. A fast-flux DNS (Domain Name System) makes it harder to track the source and is apparently one of Waledac's defense mechanisms, he added.

Though its primary goal is to send spam and propagate itself, the Waledac worm also has the ability to download and execute binaries and can pull data from infected machines.

"Waledac is a widespread and effective spam bot that has been enjoying success lately," Tenebro wrote. "Part of this success is due to the time and effort that was put into developing it; indeed, the protocol that Waledac uses to communicate is strongly encrypted. In my next posting I will delve deeper into the technical aspects of Waledac and highlight the lengths that the authors went to [to] protect their work." |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel