Researchers Find Cache of Credentials Stolen by Waledac Botnet

Reseachers discovered a trove of stolen e-mail passwords and FTP credentials.

Last year, Microsoft made a splash when it led a legal charge against Waledac's operators and gained control of 276 domains belonging to the botnet. But Waledac does not die easily, something underscored recently by researchers at The Last Line of Defense, which uncovered a trove of nearly 124,000 FTP credentials stolen by the botnet.

The login credentials to the FTP servers are a key part of Waledac's operation. According to The Last Line of Defense, the botnet's operators are using an automated program to log in to those servers to redirect users to sites that serve malware or promote cheap pharmaceuticals. In January, researchers observed 222 Websites, containing 9,447 pages that had been compromised.

Most of the sites were relatively low-traffic, Brett Stone-Gross, a threat analyst for The Last Line of Defense, told eWEEK.

"The category of (the) sites was all across the board, including personal Websites, SMBs, adult, religion, etc.," he said.

At the start of the year, security pros linked Waledac to an e-card spam campaign that was making the rounds on the Internet. Waledac's resurrection followed legal maneuvering by Microsoft, which won a decision against the botnet's masterminds last September. Once capable of sending out more than 1.5 billion spam messages a day, the number of unique infected IP addresses dropped to 58,000 by Aug. 30, 2010, Microsoft said in September.

"Microsoft was previously able to take down the Waledac infrastructure so that infected hosts could no longer communicate with the botnet controllers," Stone-Gross said. "However, those behind the Waledac operation (once again) used their expertise in social engineering to propagate their malware through greeting cards, in order to recruit machines into the botnet with a new command-and-control center."

The Last Line of Defense is working with a number of organizations to notify the victims, he said.

In the event FTP credentials are stolen, organizations should not only move to change the relevant passwords but also the IP addresses of the servers involved, advised Roy Adar, vice president of product management for Cyber-Ark.

But FTP credentials were not the only thing that was found. Researchers also discovered 500,000 stolen passwords for POP3 e-mail accounts. These credentials are known to be used for "high-quality" spam campaigns, Stone-Gross wrote in a blog post. The technique, he added, abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages, thereby making IP-based filtering considerably more difficult.

"In addition to the compromised credentials, we also had visibility of newly infected nodes connecting to a bootstrap Command-and-Control (C&C) server," he blogged. "The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines. Note that every node generates a random 16 byte ID, that is reported back to Waledac's C&Cs. Our analysis indicates that the bootstrap service first appeared online on December 3, 2010, well before the New Year's spam campaign."

In total, he blogged, there were 12,249 unique node IDs connecting to the bootstrap C&C, and 13,070 router IDs.

"The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses," Stone-Gross wrote.