Security Experts:

Waledec Botnet Variant Emerges with New Password Stealing Capabilities

The Waledec botnet, which was taken down in 2010 by Microsoft, was responsible for more spam delivery than any other botnet in its class with a reach of about 1.5 billion emails a day. Earlier this month, researchers at Palo Alto Networks discovered a third variant of the botnet, and it was serving up more than just spam.

According to Palo Alto Networks, this new version “includes the ability to sniff user credentials for FTP, POP3, SMTP, and steal .dat files for FTP and BitCoin.”

New Variant of Waledec Botnet“All of this information is uploaded to the botnet, and of course would be very valuable for enabling further attacks,” Wade Williamson, Senior Security Analyst at Palo Alto Networks, explains in a blog post.

While Palo Alto Networks discovered a third variant, following Microsoft’s takedown of Waledec, Shadowserver’s Steven Adair discovered a second variant in early 2011. A month later, researchers from malware intelligence firm Last Line were able to examine the botnet code and discovered 123,920 FTP account credentials. In addition to the FTP access, they discovered nearly 500,000 credentials used for POP3 services.

“The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult,” Last Line said at the time.

During their research on the second variant, Last Line also discovered newly infected nodes connecting to a bootstrap Command-and-Control server.

“The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines...In total, there were 12,249 unique node IDs that connected to the bootstrap C&C, and 13,070 router IDs,” the researchers noted.

Just last week Symantec noticed Waledac spreading spam in what appears to have been an attempt at political activism.

“While it is not clear whether the intent of this Waledac spam campaign has been to promote the Rospres.com site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant,” Symantec said.

"To avoid confusion it is important to note that this is a new variant of the botnet, and not the original version, which remains under the control of Microsoft," Williamson added.

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.
view counter