After being effectively dismantled last year by a judge's ruling, the Waledac botnet has made a resurgence, and its operators are now in control of a cache of stolen credentials, according to researchers at security firm LastLine.
Researchers were recently able to get an “inside view” of the botnet and discovered that its operators have control of a huge amount of stolen FTP and email credentials, Brett Stone-Gross, a developer and threat analyst at LastLine said on Wednesday. The stolen credentials may have been bought on the underground market or extracted from compromised machines.
Specifically, those behind the botnet are harboring nearly 500,000 email credentials, which likely will be used to deliver spam, Stone-Gross said. Using the stolen credentials to authenticate as the sender before pushing out spam, attackers can bypass IP-based email filtering systems.
“The benefit is that you are using a legitimate mail server rather than compromised machine to send the email,” Stone-Gross said. “IP-based blacklists are pretty much useless at that point.”
Waledac botmasters also have amassed nearly 124,000 credentials to FTP servers. Those behind the botnet use an automated program to login to these servers and upload files that redirect users to sites that serve malware or promote pharmaceuticals.
Last month, researchers discovered 222 websites that had been compromised with this method.
“The Waledac botnet remains a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote in a blog post Wednesday.
A federal judge last February ordered the takedown of nearly 300 domains being used to provide instructions to malware-infected computers, effectively incapacitating Waledac. Later in the year, it seemed the fight to dismantle the botnet was over when Microsoft was granted ownership of the domains.
But despite the security community's best efforts, those behind Waledac began sending out fake e-cards late last year aiming to infect users with malware as a means of rebuilding the botnet, Stone-Gross said.
Criminals have also set up new command-and-control servers to send instructions to infected machines.
“Microsoft took out the command-and-control infrastructure so infected machines couldn't receive instructions,” Stone-Gross said.
“They had to reconstruct the botnet from scratch.”
Around the beginning of the year, botmasters shifted their efforts to money-making ventures and began sending unwanted messages redirecting users to Canadian pharmacy sites that sell cheap drugs, he added.
“Despite [Microsoft's] success last year, it is impossible to monitor and shut down every malicious site as quickly as the perpetrators set them up,” Adam Bosnian, vice president of the Americas at security firm Cyber-Ark said.
“Cybercriminals will continue to finds news ways to perpetrate malicious activity on unsuspecting individuals.”