Attacks/Breaches
2/15/2012
06:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

New Waledac Variant Goes Rogue

Disabled spamming botnet creates new variant that steals user credentials

Remember the infamous Storm spamming botnet that later re-emerged as Waledac and was later silenced in a high-profile takedown led by Microsoft? It's baaaack -- and this time it's performing more malicious activity than sending annoying spam messages.

Researchers at Palo Alto Networks say earlier this month they discovered a new, more nasty variant of the Waledac malware that not only sends spam, but also steals passwords and other credentials: It can sniff for FTP, POP3, and SMTP user credentials, as well as pilfer .dat files for FTP and BitCoin.

Wade Williamson, product marketing manager for Palo Alto Networks, says it's the first time his team has spotted Waledac malware doing more than spam. "It is the first time that we have seen it. There have been other reports of Waledac popping up that were doing similar things, but the version of Waledac that was taken down by Microsoft was not stealing passwords," Williamson says.

Waledac in its heyday was able to spew more than 1.5 billion spam email messages a day, and was best-known for its online pharmacy, phony products, jobs, and penny stock spam scams. Microsoft two years ago took the unprecedented action of securing a federal court order that, in effect, required VeriSign to cut off Waledac's 277 Internet .com domains that were serving as the connections between the botnet's command-and-control (C&C) servers and up to 80,000 bots under its control.

Microsoft teamed up with Shadowserver, the University of Washington, Symantec, and researchers in Europe in a sneak attack on the botnet. They hijacked the hybrid peer-to-peer/HTTP communications between the botnet and its bots. Researchers in Germany and Austria had paved the way for the operation after having infiltrated the botnet and to operate undercover.

Waledac was already the second version of Storm. The difference this time around is that the botnet has added a malicious element, according to the Palo Alto Networks researchers.

It's no surprise that spammers are upping their game with information-stealing features: Many botnets do a combination of both spamming and more nefarious activities, such as stealing financial information or credentials.

Williamson says his team was able to discern the new malware was a fresh variant of Waledac because the C&C model was the same. "We were able to match specific quirks in the code based on how the bot handles specific types of communications," he says. What's unclear, however, is whether it's the same gang that ran Waledac or another group who got access to the code, he says.

What about the former Waledac domains now under Microsoft's control? "We don't believe this has any impact on the domains controlled by Microsoft. This looks like a restart," he says.

Richard Boscovich, senior attorney for Microsoft Digital Crimes Unit notes that the Waledac botnet is still "dead."

"Since taking down the Waledac botnet in 2010, the botnet remains dead and Microsoft continues to control the domains once used by the botnet’s operators. We also regularly work with ISPs and CERTs around the world to help people remove the Waledac malware and regain control of their computers," Boscovich said in a statement. "Meanwhile, we constantly monitor evolving threats, including variants of botnets we have taken down as well as emerging threats ... We also follow our botnet cases wherever they lead us to hold those responsible accountable for their actions."

The latest development demonstrates the constant battle with botnet operators. Just because a botnet is taken down doesn't mean it won't be reinvented and pop up elsewhere, just like malware, in general. "Botnet takedowns are important, and we need to keep doing them. However, we have to recognize them for what they are: A botnet takedown is akin to stopping an outbreak or an epidemic of a disease, which is not the same thing as curing the disease outright," Williamson says. "Like a disease, a botnet can morph and come back."

The researchers don't have any new bot counts yet, nor have they identified exactly what type of spam it's sending. But the infections they saw were being spread via Web browsing. "This malware is being detected by our firewalls in our customers' networks. We haven't been able to extrapolate beyond our customer base as yet," Williamson says.

Websense's research team spotted a new iteration of Waledac early last year sending New Year-related spam messages , followed later by "magic blue pill"-themed ones. At the time, the researchers predicted that the botnet could ultimately do more than spam. "The new spam campaign doesn't redirect to malicious content, just to spam content," Websense said in its January 2011 blog post. "But that could change at any point if the people behind Waledac decides to grow the botnet."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MS8699
50%
50%
MS8699,
User Rank: Apprentice
2/21/2012 | 11:22:53 AM
re: New Waledac Variant Goes Rogue
Researchers at Palo Alto Networks say earlier this month they discovered a new, more nasty variant of the Waledac malware that not only sends spam, but also steals passwords and other credentials.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web