CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Waledec Botnet Variant Emerges with New Password Stealing Capabilities

The Waledec botnet, which was taken down in 2010 by Microsoft, was responsible for more spam delivery than any other botnet in its class with a reach of about 1.5 billion emails a day. Earlier this month, researchers at Palo Alto Networks discovered a third variant of the botnet, and it was serving up more than just spam.

According to Palo Alto Networks, this new version “includes the ability to sniff user credentials for FTP, POP3, SMTP, and steal .dat files for FTP and BitCoin.”

The Waledec botnet, which was taken down in 2010 by Microsoft, was responsible for more spam delivery than any other botnet in its class with a reach of about 1.5 billion emails a day. Earlier this month, researchers at Palo Alto Networks discovered a third variant of the botnet, and it was serving up more than just spam.

According to Palo Alto Networks, this new version “includes the ability to sniff user credentials for FTP, POP3, SMTP, and steal .dat files for FTP and BitCoin.”

New Variant of Waledec Botnet“All of this information is uploaded to the botnet, and of course would be very valuable for enabling further attacks,” Wade Williamson, Senior Security Analyst at Palo Alto Networks, explains in a blog post.

While Palo Alto Networks discovered a third variant, following Microsoft’s takedown of Waledec, Shadowserver’s Steven Adair discovered a second variant in early 2011. A month later, researchers from malware intelligence firm Last Line were able to examine the botnet code and discovered 123,920 FTP account credentials. In addition to the FTP access, they discovered nearly 500,000 credentials used for POP3 services.

“The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult,” Last Line said at the time.

During their research on the second variant, Last Line also discovered newly infected nodes connecting to a bootstrap Command-and-Control server.

“The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines…In total, there were 12,249 unique node IDs that connected to the bootstrap C&C, and 13,070 router IDs,” the researchers noted.

Just last week Symantec noticed Waledac spreading spam in what appears to have been an attempt at political activism.

“While it is not clear whether the intent of this Waledac spam campaign has been to promote the Rospres.com site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant,” Symantec said.

Advertisement. Scroll to continue reading.

“To avoid confusion it is important to note that this is a new variant of the botnet, and not the original version, which remains under the control of Microsoft,” Williamson added.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.