Waledac botnet operators amass 500,000 email credentials

Powered by SC Magazine
 

Waledac botnet was rebuilt from scratch and is on the attack again.

After being effectively dismantled last year by a judge's ruling, the Waledac botnet has made a resurgence, and its operators are now in control of a cache of stolen credentials, according to researchers at security firm LastLine.

Researchers were recently able to get an “inside view” of the botnet and discovered that its operators have control of a huge amount of stolen FTP and email credentials, Brett Stone-Gross, a developer and threat analyst at LastLine said on Wednesday. The stolen credentials may have been bought on the underground market or extracted from compromised machines.

Specifically, those behind the botnet are harboring nearly 500,000 email credentials, which likely will be used to deliver spam, Stone-Gross said. Using the stolen credentials to authenticate as the sender before pushing out spam, attackers can bypass IP-based email filtering systems.

“The benefit is that you are using a legitimate mail server rather than compromised machine to send the email,” Stone-Gross said. “IP-based blacklists are pretty much useless at that point.”

Waledac botmasters also have amassed nearly 124,000 credentials to FTP servers. Those behind the botnet use an automated program to login to these servers and upload files that redirect users to sites that serve malware or promote pharmaceuticals.  

Last month, researchers discovered 222 websites that had been compromised with this method.

“The Waledac botnet remains a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote in a blog post Wednesday.

A federal judge last February ordered the takedown of nearly 300 domains being used to provide instructions to malware-infected computers, effectively incapacitating Waledac. Later in the year, it seemed the fight to dismantle the botnet was over when Microsoft was granted ownership of the domains.

But despite the security community's best efforts, those behind Waledac began sending out fake e-cards late last year aiming to infect users with malware as a means of rebuilding the botnet, Stone-Gross said.

Criminals have also set up new command-and-control servers to send instructions to infected machines.

“Microsoft took out the command-and-control infrastructure so infected machines couldn't receive instructions,” Stone-Gross said.

“They had to reconstruct the botnet from scratch.”

Around the beginning of the year, botmasters shifted their efforts to money-making ventures and began sending unwanted messages redirecting users to Canadian pharmacy sites that sell cheap drugs, he added.

“Despite [Microsoft's] success last year, it is impossible to monitor and shut down every malicious site as quickly as the perpetrators set them up,” Adam Bosnian, vice president of the Americas at security firm Cyber-Ark said.

“Cybercriminals will continue to finds news ways to perpetrate malicious activity on unsuspecting individuals.”

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 346

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 144

Vote