iTnews

Waledac botnet wakes up in 2011 with new run of pharmaceutical spam

By Dan Raywood on Jan 17, 2011 12:33PM

Cybercriminals return from break.

A new variant of the Waledac botnet has reappeared, with pharmaceutical spam being distributed.

The botnet reappeared at the end of 2010, sending out a New Year themed spam email where a URL in the email asks the recipient to download a fake Adobe Flash player, however this campaign ended on January 4.

The new pharmaceutical campaign also uses redirections via compromised legitimate sites with the links not just sending the user to malicious content, but just to spam, though that could change at any point if the people behind Waledac decide to grow the botnet.

Carl Leonard, senior manager of Websense Security Labs, said: “When botnets shut down over Christmas, global spam levels took a welcome dive. But the holiday is over now as we see sleeping botnets reactivate with a vengeance one-by-one.

“Waledac is the latest to stir back into life reverting back to its favourite pharmaceutical spam topics. As for the hiatus in activity, I presume that cyber criminals took some time off just the same as everyone else.”

Symantec's Andrea Lelli said: “This new variant (named W32.Waledac.B) implements the advanced network management protocol (ANMP) in order to organise all the bots in a peer-to-peer network that has the characteristics of a fast-flux network. This kind of network is resistant to bots going online and offline and it can reconfigure itself very quickly, rendering it a very dangerous botnet.

“The peers communicate with each other through messages and all the communications use strong encryption and digital signing. We analysed the network messages being exchanged among the peers, before and after the downtime and we could see an update in the version numbers (from 0.0.49 to 0.0.51) and in the spam job message, which was now including also the pharmaceutical spam messages (as opposed to the previous spam job, which contained spam related to e-cards).

“This new added code seems to be simply validating a parameter (the size of the send queue). Perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set? Perhaps this bug caused the botnet downtime that we observed? We do not know, maybe the botnet herders were just waiting for the next strike, but this was definitely a curious detail on the software side.”

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
2011 botnet in new of pharmaceutical run security spam up wakes waledac with

Partner Content

NDR comes of age as frontline security application
Promoted Content NDR comes of age as frontline security application
NDR meets ransomware threat head on
Promoted Content NDR meets ransomware threat head on
Albemarle cuts e-waste, capex spend "substantially" by hiring rather than buying
Promoted Content Albemarle cuts e-waste, capex spend "substantially" by hiring rather than buying
How Australian governments can accelerate their cloud-first IT strategies
Promoted Content How Australian governments can accelerate their cloud-first IT strategies

Sponsored Whitepapers

Understanding the next security control points: applications and workloads
Understanding the next security control points: applications and workloads
Best security practices after rapid Digital Transformation
Best security practices after rapid Digital Transformation
The CISO View 2021 Survey: Zero Trust and Privileged Access
The CISO View 2021 Survey: Zero Trust and Privileged Access
How and why to backup your Office 365 tenant
How and why to backup your Office 365 tenant
ForgeRock for Australia’s Trusted Digital Identity Framework (TDIF)
ForgeRock for Australia’s Trusted Digital Identity Framework (TDIF)

Events

  • SAP e'ffect 2021
  • #DevDay
By Dan Raywood
Jan 17 2011
12:33PM
0 Comments

Related Articles

  • 'Necurs' spam and malware botnet disrupted by Microsoft
  • Tyro agrees to independent review after sending 150,000 spam messages
  • Former Ubiquiti employee charged with hacking, extorting company
  • Aussie Broadband makes formal $344m bid for Over The Wire
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Perth Mint CIO leaves after five months

Perth Mint CIO leaves after five months
Microsoft becomes 'certified strategic' cloud provider

Microsoft becomes 'certified strategic' cloud provider
Telcos get new powers to block malicious SMS scams at scale

Telcos get new powers to block malicious SMS scams at scale
Macquarie Bank shoots for eight technology 'north stars' for 2025

Macquarie Bank shoots for eight technology 'north stars' for 2025

Digital Nation

Catastrophic governance failures are rooted in organisational culture
Catastrophic governance failures are rooted in organisational culture
Fringe innovation unlocks power of diverse thinking
Fringe innovation unlocks power of diverse thinking
Case Study: Intrepid Group uses global travel shutdown to reimagine HR function
Case Study: Intrepid Group uses global travel shutdown to reimagine HR function
COVER STORY: Automation drives marketing success but complexity torments delivery
COVER STORY: Automation drives marketing success but complexity torments delivery
Case Study: Keeping CPA's board up to date about cybersecurity risks
Case Study: Keeping CPA's board up to date about cybersecurity risks
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.