06:28 PM
Connect Directly

New Waledac Variant Goes Rogue

Disabled spamming botnet creates new variant that steals user credentials

Remember the infamous Storm spamming botnet that later re-emerged as Waledac and was later silenced in a high-profile takedown led by Microsoft? It's baaaack -- and this time it's performing more malicious activity than sending annoying spam messages.

Researchers at Palo Alto Networks say earlier this month they discovered a new, more nasty variant of the Waledac malware that not only sends spam, but also steals passwords and other credentials: It can sniff for FTP, POP3, and SMTP user credentials, as well as pilfer .dat files for FTP and BitCoin.

Wade Williamson, product marketing manager for Palo Alto Networks, says it's the first time his team has spotted Waledac malware doing more than spam. "It is the first time that we have seen it. There have been other reports of Waledac popping up that were doing similar things, but the version of Waledac that was taken down by Microsoft was not stealing passwords," Williamson says.

Waledac in its heyday was able to spew more than 1.5 billion spam email messages a day, and was best-known for its online pharmacy, phony products, jobs, and penny stock spam scams. Microsoft two years ago took the unprecedented action of securing a federal court order that, in effect, required VeriSign to cut off Waledac's 277 Internet .com domains that were serving as the connections between the botnet's command-and-control (C&C) servers and up to 80,000 bots under its control.

Microsoft teamed up with Shadowserver, the University of Washington, Symantec, and researchers in Europe in a sneak attack on the botnet. They hijacked the hybrid peer-to-peer/HTTP communications between the botnet and its bots. Researchers in Germany and Austria had paved the way for the operation after having infiltrated the botnet and to operate undercover.

Waledac was already the second version of Storm. The difference this time around is that the botnet has added a malicious element, according to the Palo Alto Networks researchers.

It's no surprise that spammers are upping their game with information-stealing features: Many botnets do a combination of both spamming and more nefarious activities, such as stealing financial information or credentials.

Williamson says his team was able to discern the new malware was a fresh variant of Waledac because the C&C model was the same. "We were able to match specific quirks in the code based on how the bot handles specific types of communications," he says. What's unclear, however, is whether it's the same gang that ran Waledac or another group who got access to the code, he says.

What about the former Waledac domains now under Microsoft's control? "We don't believe this has any impact on the domains controlled by Microsoft. This looks like a restart," he says.

Richard Boscovich, senior attorney for Microsoft Digital Crimes Unit notes that the Waledac botnet is still "dead."

"Since taking down the Waledac botnet in 2010, the botnet remains dead and Microsoft continues to control the domains once used by the botnet’s operators. We also regularly work with ISPs and CERTs around the world to help people remove the Waledac malware and regain control of their computers," Boscovich said in a statement. "Meanwhile, we constantly monitor evolving threats, including variants of botnets we have taken down as well as emerging threats ... We also follow our botnet cases wherever they lead us to hold those responsible accountable for their actions."

The latest development demonstrates the constant battle with botnet operators. Just because a botnet is taken down doesn't mean it won't be reinvented and pop up elsewhere, just like malware, in general. "Botnet takedowns are important, and we need to keep doing them. However, we have to recognize them for what they are: A botnet takedown is akin to stopping an outbreak or an epidemic of a disease, which is not the same thing as curing the disease outright," Williamson says. "Like a disease, a botnet can morph and come back."

The researchers don't have any new bot counts yet, nor have they identified exactly what type of spam it's sending. But the infections they saw were being spread via Web browsing. "This malware is being detected by our firewalls in our customers' networks. We haven't been able to extrapolate beyond our customer base as yet," Williamson says.

Websense's research team spotted a new iteration of Waledac early last year sending New Year-related spam messages , followed later by "magic blue pill"-themed ones. At the time, the researchers predicted that the botnet could ultimately do more than spam. "The new spam campaign doesn't redirect to malicious content, just to spam content," Websense said in its January 2011 blog post. "But that could change at any point if the people behind Waledac decides to grow the botnet."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/21/2012 | 11:22:53 AM
re: New Waledac Variant Goes Rogue
Researchers at Palo Alto Networks say earlier this month they discovered a new, more nasty variant of the Waledac malware that not only sends spam, but also steals passwords and other credentials.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.