Categories: SecurityWorkspace

Researchers Uncover Credentials Stolen By Waledac

Microsoft made waves last year when it led the legal charge against Waledac’s operators and gained control of 276 domains belonging to the botnet.

Despite this however it is clear that Waledac does not die easily, something underscored recently by researchers at The Last Line of Defense, which uncovered a trove of nearly 124,000 FTP credentials stolen by the botnet.

The login credentials to the FTP servers are a key part of Waledac’s operation. According to The Last Line of Defense, the botnet’s operators are using an automated program to log in to those servers to redirect users to sites that serve malware or promote cheap pharmaceuticals. In January, researchers observed 222 websites, containing 9,447 pages that had been compromised.

Compromised Websites

Most of the sites were relatively low-traffic, Brett Stone-Gross, a threat analyst for The Last Line of Defense, told eWEEK.

“The category of (the) sites was all across the board, including personal websites, SMBs, adult, religion, etc.,” he said.

At the start of the year, security pros linked Waledac to an e-card spam campaign that was making the rounds on the Internet. Waledac’s resurrection followed legal manoeuvring by Microsoft, which won a decision against the botnet’s masterminds last September. Once capable of sending out more than 1.5 billion spam messages a day, the number of unique infected IP addresses dropped to 58,000 by 30 August, 2010, Microsoft said in September.

“Microsoft was previously able to take down the Waledac infrastructure so that infected hosts could no longer communicate with the botnet controllers,” Stone-Gross said. “However, those behind the Waledac operation (once again) used their expertise in social engineering to propagate their malware through greeting cards, in order to recruit machines into the botnet with a new command-and-control center.”

The Last Line of Defense is working with a number of organisations to notify the victims, he said.

Treasure Trove

In the event FTP credentials are stolen, organisations should not only move to change the relevant passwords but also the IP addresses of the servers involved, advised Roy Adar, vice president of product management for Cyber-Ark.

But FTP credentials were not the only thing that was found. Researchers also discovered 500,000 stolen passwords for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns, Stone-Gross wrote in a blog post. The technique, he added, abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages, thereby making IP-based filtering considerably more difficult.

“In addition to the compromised credentials, we also had visibility of newly infected nodes connecting to a bootstrap Command-and-Control (C&C) server,” he blogged. “The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines. Note that every node generates a random 16 byte ID, that is reported back to Waledac’s C&Cs. Our analysis indicates that the bootstrap service first appeared online on 3 December 2010, well before the New Year’s spam campaign.”

In total, he blogged, there were 12,249 unique node IDs connecting to the bootstrap C&C, and 13,070 router IDs.

“The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago