The Waledec botnet, which was taken down in 2010 by Microsoft, was responsible for more spam delivery than any other botnet in its class with a reach of about 1.5 billion emails a day. Earlier this month, researchers at Palo Alto Networks discovered a third variant of the botnet, and it was serving up more than just spam.
According to Palo Alto Networks, this new version “includes the ability to sniff user credentials for FTP, POP3, SMTP, and steal .dat files for FTP and BitCoin.”
“All of this information is uploaded to the botnet, and of course would be very valuable for enabling further attacks,” Wade Williamson, Senior Security Analyst at Palo Alto Networks, explains in a blog post.
While Palo Alto Networks discovered a third variant, following Microsoft’s takedown of Waledec, Shadowserver’s Steven Adair discovered a second variant in early 2011. A month later, researchers from malware intelligence firm Last Line were able to examine the botnet code and discovered 123,920 FTP account credentials. In addition to the FTP access, they discovered nearly 500,000 credentials used for POP3 services.
“The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult,” Last Line said at the time.
During their research on the second variant, Last Line also discovered newly infected nodes connecting to a bootstrap Command-and-Control server.
“The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines…In total, there were 12,249 unique node IDs that connected to the bootstrap C&C, and 13,070 router IDs,” the researchers noted.
Just last week Symantec noticed Waledac spreading spam in what appears to have been an attempt at political activism.
“While it is not clear whether the intent of this Waledac spam campaign has been to promote the Rospres.com site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant,” Symantec said.
“To avoid confusion it is important to note that this is a new variant of the botnet, and not the original version, which remains under the control of Microsoft,” Williamson added.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
