About a year ago a federal judge granted a very unusual request by Microsoft to shut down almost 300 domains that were used as command-and-control centers for the Waledac botnet. The move was generally hailed as a success by the security community: it dealt Waledac a huge blow and the botnet all but dropped off the radar of most online threat analyses. However, now Waledac seems to be back—and this time it’s armed with a sizable cache of valid FTP and email credentials that enable it to alter Web pages to serve malware and send “high quality” spam under the names of legitimate ISP customers.
According to security vendor Last Line, Waledac has accumulated almost half a million valid login credentials for POP3 email accounts around the Internet, as well as more than 120,000 valid login credentials for FTP servers. The vast number of login credentials may be significant: Waledac’s controllers use the credentials to log into the servers and, where possible, alter the contents of existing Web pages to server malware, promote pharmaceuticals, or engage in other forms of online scams. The POP3 logins mean that Waledac-controlled computers can connect o ISPs as legitimate customers—and send email using their accounts. The ability to bypass authentication requirements for sending email could give spam from Waledac systems an edge in defeating blacklisting and techniques that validate senders—from the point of view of the receiving system.
“The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses,” Last Line wrote on its blog.
The security community noticed Waledac coming back to life at the end of 2010, but Last Line’s analysis is the first reported look at the resources available to Waledac’s operators.