Microsoft made waves last year when it led the legal charge against Waledac’s operators and gained control of 276 domains belonging to the botnet.
Despite this however it is clear that Waledac does not die easily, something underscored recently by researchers at The Last Line of Defense, which uncovered a trove of nearly 124,000 FTP credentials stolen by the botnet.
The login credentials to the FTP servers are a key part of Waledac’s operation. According to The Last Line of Defense, the botnet’s operators are using an automated program to log in to those servers to redirect users to sites that serve malware or promote cheap pharmaceuticals. In January, researchers observed 222 websites, containing 9,447 pages that had been compromised.
Most of the sites were relatively low-traffic, Brett Stone-Gross, a threat analyst for The Last Line of Defense, told eWEEK.
“The category of (the) sites was all across the board, including personal websites, SMBs, adult, religion, etc.,” he said.
“Microsoft was previously able to take down the Waledac infrastructure so that infected hosts could no longer communicate with the botnet controllers,” Stone-Gross said. “However, those behind the Waledac operation (once again) used their expertise in social engineering to propagate their malware through greeting cards, in order to recruit machines into the botnet with a new command-and-control center.”
The Last Line of Defense is working with a number of organisations to notify the victims, he said.
In the event FTP credentials are stolen, organisations should not only move to change the relevant passwords but also the IP addresses of the servers involved, advised Roy Adar, vice president of product management for Cyber-Ark.
But FTP credentials were not the only thing that was found. Researchers also discovered 500,000 stolen passwords for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns, Stone-Gross wrote in a blog post. The technique, he added, abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages, thereby making IP-based filtering considerably more difficult.
“In addition to the compromised credentials, we also had visibility of newly infected nodes connecting to a bootstrap Command-and-Control (C&C) server,” he blogged. “The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines. Note that every node generates a random 16 byte ID, that is reported back to Waledac’s C&Cs. Our analysis indicates that the bootstrap service first appeared online on 3 December 2010, well before the New Year’s spam campaign.”
In total, he blogged, there were 12,249 unique node IDs connecting to the bootstrap C&C, and 13,070 router IDs.
“The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote.
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…