Microsoft made waves last year when it led the legal charge against Waledac’s operators and gained control of 276 domains belonging to the botnet.
Despite this however it is clear that Waledac does not die easily, something underscored recently by researchers at The Last Line of Defense, which uncovered a trove of nearly 124,000 FTP credentials stolen by the botnet.
The login credentials to the FTP servers are a key part of Waledac’s operation. According to The Last Line of Defense, the botnet’s operators are using an automated program to log in to those servers to redirect users to sites that serve malware or promote cheap pharmaceuticals. In January, researchers observed 222 websites, containing 9,447 pages that had been compromised.
Most of the sites were relatively low-traffic, Brett Stone-Gross, a threat analyst for The Last Line of Defense, told eWEEK.
“The category of (the) sites was all across the board, including personal websites, SMBs, adult, religion, etc.,” he said.
“Microsoft was previously able to take down the Waledac infrastructure so that infected hosts could no longer communicate with the botnet controllers,” Stone-Gross said. “However, those behind the Waledac operation (once again) used their expertise in social engineering to propagate their malware through greeting cards, in order to recruit machines into the botnet with a new command-and-control center.”
The Last Line of Defense is working with a number of organisations to notify the victims, he said.
In the event FTP credentials are stolen, organisations should not only move to change the relevant passwords but also the IP addresses of the servers involved, advised Roy Adar, vice president of product management for Cyber-Ark.
But FTP credentials were not the only thing that was found. Researchers also discovered 500,000 stolen passwords for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns, Stone-Gross wrote in a blog post. The technique, he added, abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages, thereby making IP-based filtering considerably more difficult.
“In addition to the compromised credentials, we also had visibility of newly infected nodes connecting to a bootstrap Command-and-Control (C&C) server,” he blogged. “The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines. Note that every node generates a random 16 byte ID, that is reported back to Waledac’s C&Cs. Our analysis indicates that the bootstrap service first appeared online on 3 December 2010, well before the New Year’s spam campaign.”
In total, he blogged, there were 12,249 unique node IDs connecting to the bootstrap C&C, and 13,070 router IDs.
“The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…