New variant of Waledac botnet detected

Powered by SC Magazine
 

After the original was taken down two years ago.

A new variant of the Waledac botnet has been detected after the original was taken down two years ago.

At the time a collaboration of companies including Symantec, Microsoft and Shadowserver, and universities in Washington, Mannheim, Vienna and Bonn, took down 277 internet domains believed to be running Waledac.

Tim Cranton, Microsoft's associate general counsel, said at the time that ‘Operation b49' had effectively shut down connections to the vast majority of Waledac-infected computers, but these were still infected with the original malware.

However, research by Palo Alto Networks has revealed that a new variant of the botnet, along with a few modifications, has been detected. The company said its WildFire lag detected Waledac in customer networks in early February.

Rather than just sending spam, as Waledec did in early 2011 with a run of pharmaceutical emails, the new version has upgraded its malicious capabilities to include the stealing of passwords and authentication data.

Palo Alto Networks said: “This includes the ability to sniff user credentials for FTP, POP3 and SMTP and steal .dat files for FTP and BitCoin. All of this information is uploaded to the botnet and would be very valuable for enabling further attacks.

“To avoid confusion it is important to note that this is a new variant of the botnet, and not the original version, which remains under the control of Microsoft.”

Symantec detected this on 8 February and named it ‘W32.Waledac.C'. It said that it is a worm that spreads by sending emails that contain links to copies of itself and opens a backdoor on the compromised computer.

In a blog, Symantec said it has been monitoring the Waledac family for many years and the new variant was sending out spam emails targeted to Russian addresses.

Speaking to SC Magazine, Paul Wood, senior intelligence analyst at Symantec.cloud, said that while the blog doesn't detail the full functionality, this is a credible threat.

Luis Corrons, technical director of PandaLabs, which was heavily involved with the takedown of the Mariposa botnet in 2010, told SC Magazine that this version was probably created by someone with access to the source code.

“If the cyber criminals behind Waledac have not been arrested, it is probably them trying to rebuild their business. Or, as we saw in the Mariposa case, where the real developer of the bot had a number of different customers, this could be a similar case,” he said.

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


New variant of Waledac botnet detected
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1054

Vote