Waledac Spam Botnet Evolves into Password Sniffer

Monday, February 20, 2012



Researchers form Palo Alto Networks have detected a new variation of the briefly defeated Waledac spamming botnet, but this version is designed to be much more of a threat.

The latest incarnation of the botnet is reported to be able to sniff out login credentials for several email protocols as well as files with the .dat extension related to BitCoin and FTP.

"It is the first time that we have seen it. There have been other reports of Waledac popping up that were doing similar things, but the version of Waledac that was taken down by Microsoft was not stealing passwords," Palo Alto Networks' Wade Williamson says.

The security firm identified telltale signatures of the Waledac botnet code while studying samples of the password harvesting tool.

"We were able to match specific quirks in the code based on how the bot handles specific types of communications," Williamson continued.

Microsoft had played a key role in efforts to shut down the Waledac botnet in 2010, though the operation continued functioning at a diminished capacity for a period, and some researchers believe that the infamous Kelihos botnet may have been another incarnation of the Waledac code.

"Since taking down the Waledac botnet in 2010, the botnet remains dead and Microsoft continues to control the domains once used by the botnet’s operators. We also regularly work with ISPs and CERTs around the world to help people remove the Waledac malware and regain control of their computers. Meanwhile, we constantly monitor evolving threats, including variants of botnets we have taken down as well as emerging threats ... We also follow our botnet cases wherever they lead us to hold those responsible accountable for their actions," Microsoft's Richard Boscovich said.

Palo Alto Networks believes the new variant of Waledac could potentially be an operation instigated by a new group of attackers who may have come into possession of the botnet's code and tweaked it from a spamming tool to the one now being used for harvesting login credentials.

"We don't believe this has any impact on the domains controlled by Microsoft. This looks like a restart," Williamson surmised.

Microsoft was also instrumental in the Rustock botnet takedown. In February of 2011, Microsoft provided documentation that detailed the botnet's extensive structure in a federal court filing that was part of a lawsuit against a number of John Doe defendants.

Acting on the information Microsoft provided, federal marshals raided several internet hosting providers across the U.S. in March of this year, seizing servers suspected of being used as Rustock command and control units.

Source:  http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/232600968/new-waledac-variant-goes-rogue.html

Possibly Related Articles:
Viruses & Malware
Email Microsoft Passwords SPAM Botnets Headlines Code Rustock variants Sniffer Kelihos Waledac Command and Control Palo Alto Networks ftp
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.