Waledac botnet wakes up in 2011 with new run of pharmaceutical spam

By on

Cybercriminals return from break.

A new variant of the Waledac botnet has reappeared, with pharmaceutical spam being distributed.

The botnet reappeared at the end of 2010, sending out a New Year themed spam email where a URL in the email asks the recipient to download a fake Adobe Flash player, however this campaign ended on January 4.

The new pharmaceutical campaign also uses redirections via compromised legitimate sites with the links not just sending the user to malicious content, but just to spam, though that could change at any point if the people behind Waledac decide to grow the botnet.

Carl Leonard, senior manager of Websense Security Labs, said: “When botnets shut down over Christmas, global spam levels took a welcome dive. But the holiday is over now as we see sleeping botnets reactivate with a vengeance one-by-one.

“Waledac is the latest to stir back into life reverting back to its favourite pharmaceutical spam topics. As for the hiatus in activity, I presume that cyber criminals took some time off just the same as everyone else.”

Symantec's Andrea Lelli said: “This new variant (named W32.Waledac.B) implements the advanced network management protocol (ANMP) in order to organise all the bots in a peer-to-peer network that has the characteristics of a fast-flux network. This kind of network is resistant to bots going online and offline and it can reconfigure itself very quickly, rendering it a very dangerous botnet.

“The peers communicate with each other through messages and all the communications use strong encryption and digital signing. We analysed the network messages being exchanged among the peers, before and after the downtime and we could see an update in the version numbers (from 0.0.49 to 0.0.51) and in the spam job message, which was now including also the pharmaceutical spam messages (as opposed to the previous spam job, which contained spam related to e-cards).

“This new added code seems to be simply validating a parameter (the size of the send queue). Perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set? Perhaps this bug caused the botnet downtime that we observed? We do not know, maybe the botnet herders were just waiting for the next strike, but this was definitely a curious detail on the software side.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

New Windows 10 users, are you upgrading from...
Windows 8
Windows 7
Windows XP
Another operating system
Windows Vista
How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?