Waledac botnet operators amass 500,000 email credentials

Powered by SC Magazine
 

Waledac botnet was rebuilt from scratch and is on the attack again.

After being effectively dismantled last year by a judge's ruling, the Waledac botnet has made a resurgence, and its operators are now in control of a cache of stolen credentials, according to researchers at security firm LastLine.

Researchers were recently able to get an “inside view” of the botnet and discovered that its operators have control of a huge amount of stolen FTP and email credentials, Brett Stone-Gross, a developer and threat analyst at LastLine said on Wednesday. The stolen credentials may have been bought on the underground market or extracted from compromised machines.

Specifically, those behind the botnet are harboring nearly 500,000 email credentials, which likely will be used to deliver spam, Stone-Gross said. Using the stolen credentials to authenticate as the sender before pushing out spam, attackers can bypass IP-based email filtering systems.

“The benefit is that you are using a legitimate mail server rather than compromised machine to send the email,” Stone-Gross said. “IP-based blacklists are pretty much useless at that point.”

Waledac botmasters also have amassed nearly 124,000 credentials to FTP servers. Those behind the botnet use an automated program to login to these servers and upload files that redirect users to sites that serve malware or promote pharmaceuticals.  

Last month, researchers discovered 222 websites that had been compromised with this method.

“The Waledac botnet remains a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote in a blog post Wednesday.

A federal judge last February ordered the takedown of nearly 300 domains being used to provide instructions to malware-infected computers, effectively incapacitating Waledac. Later in the year, it seemed the fight to dismantle the botnet was over when Microsoft was granted ownership of the domains.

But despite the security community's best efforts, those behind Waledac began sending out fake e-cards late last year aiming to infect users with malware as a means of rebuilding the botnet, Stone-Gross said.

Criminals have also set up new command-and-control servers to send instructions to infected machines.

“Microsoft took out the command-and-control infrastructure so infected machines couldn't receive instructions,” Stone-Gross said.

“They had to reconstruct the botnet from scratch.”

Around the beginning of the year, botmasters shifted their efforts to money-making ventures and began sending unwanted messages redirecting users to Canadian pharmacy sites that sell cheap drugs, he added.

“Despite [Microsoft's] success last year, it is impossible to monitor and shut down every malicious site as quickly as the perpetrators set them up,” Adam Bosnian, vice president of the Americas at security firm Cyber-Ark said.

“Cybercriminals will continue to finds news ways to perpetrate malicious activity on unsuspecting individuals.”

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1789

Vote
Do you support the abolition of the Office of the Information Commissioner?