Microsoft: Waledac Botnet Operators May Have Shared Code

Microsoft believes a botnet linked by other researchers to the theft of nearly 124,000 FTP credentials is not Waledac, but a new botnet known as Kelihos.

Microsoft is contending the botnet other researchers have tied to the theft of FTP server credentials is not Waledac but a close relative.

Microsoft is calling the botnet Kelihos. According to the company, the botnet shares large portions of its code with Waledac, and may be the result of collaboration.

"Microsoft researchers and security community researchers are seeing striking similarities in the malware, which suggests that the Waledac code was shared; on the other hand, there are enough substantial customizations and changes to the code to suggest that a different malware developer was the creator of Kelihos," explained T.J. Campana, senior program manager for Microsoft's Digital Crimes Unit.

But security analyst Brett Stone-Gross is not so sure.

"Waledac 2.0 and Kelihos are the same botnet," said Stone-Gross, threat analyst at LastLine. "The guys behind Kelihos and Waledac are one and the same. The botnet's architecture, malware and method of propagation are virtually identical."

Stone-Gross released information earlier this week linking what he called Waledac 2.0 to nearly 124,000 stolen FTP credentials as well as a cache of almost 500,000 stolen credentials for POP3 e-mail accounts. According to LastLine, the botnet's operators are using an automated program to log in to the FTP servers in order to redirect users to sites serving malware or promoting cheap pharmaceuticals. Last month, 222 Websites containing 9,447 pages were found to have been compromised.

The news followed Microsoft's takedown of Operation b49. As a result of the court action, the company seized control of 276 domains used by Waledac - none of which are being communicated with by the new botnet, according to Microsoft's Malware Protection Center (MMPC).

"The most striking similarities that indicate a shared codebase can be seen in the botnet's function," Campana said. "Both Microsoft Digital Crimes Unit staff and those working on this issue in the security community have observed very similar communication mechanisms between the infected machines in Kelihos, and the communication mechanisms in Waledac."

An analysis by MMPC also revealed the botnet is using fast-flux in much the same way as Waledac as well.

"Criminals and criminal networks often use and re-use the same code as way to save time or effort," Campana said. "In this specific case, although similar code is used, the botnets have two entirely different infrastructures which makes them two different botnets."