News

Waledac botnet showing resurgence with thousands of stolen email credentials

Robert Westervelt

Waledac, a notorious spam botnet that was nearly brought to its knees when Microsoft took legal action in 2010 to shut down its command-and-control network, is continuing to show signs

Requires Free Membership to View

of a resurgence, according to researchers who discovered a cache of stolen email credentials used to dupe antispam filters.

The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses.

Brett Stone-Gross, threat analyst, Last Line of Defense

Researchers at Santa Barbara, Calif.-based LastLine Inc. have been studying the Waledac botnet, and discovered a cache of nearly 124,000 login credentials to FTP servers and 500,000 credentials for POP3 email accounts.

In a blog entry outlining the research, Brett Stone-Gross, a threat analyst with Last Line of Defense, called the find "significant." Stolen FTP credentials are used by cybercriminals in automated programs to redirect users to sites that serve malware or promote cheap pharmaceuticals, he said. The stolen email credentials are used to produce high-quality spam campaigns that can dupe antispam filters and IP-based blacklist filtering.

Waledac, which was believed to be the successor to the Storm botnet, produced an estimated 1.5 billion spam messages daily at its peak. The botnet has ties to the Conficker/Downadup worm, which gave a variant of Conficker self-propagation abilities. Some security experts believe that those behind Conficker briefly teamed up with those associated with Waledac to monetize the botnet by spreading spam that offered software to read private SMS messages.

Last year, Microsoft asked a federal judge to order ISPs to shut down 273 domain names believed to be controlling the Waledac botnet. The goal was to target Waledac's command-and-control network, stripping the ability of the cybercriminals to send out orders to zombie machines and collect stolen data. The action crippled the entire operation, hampering the creators of Waledac from selling or leasing out parts of it to other cybercriminals.

Researchers began noticing Waledac's sudden resurgence in December when security firms detected spam campaigns connected to the botnet. Stone-Gross said the researchers also discovered newly infected machines connecting to a bootstrap command-and-control server. The bootstrap appeared online on Dec. 3, 2010 and enables newly infected machines to receive instructions.