Researchers have discovered that the gang behind the once-and-future botnet Waledac has gathered nearly 500,000 stolen passwords for email accounts, along with close to 125,000 sets of pilfered credentials for FTP accounts.
The discovery isn’t so surprising in its details, but rather in its scope. There are a slew of Trojans and info-stealing pieces of malware around these days that are designed specifically to seek out and steal this kind of data. Email passwords, which often are simple and reused on other accounts by victims, can give attackers access to far more than just a victim’s mundane message exchanges with friends. Email accounts can lead to online banking credentials, credit card accounts and other high-value data.
Researchers at The Last Line of Defense, a security firm comprising professors and grad students from universities around the world, analyzed the data that the Waledac crew had gathered and found that the email credentials were being used in spam campaigns designed to evade real-time blacklists and other filters.
“We also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns.
The technique abuses legitimate mail servers by authenticating as the
victim through the SMTP-AUTH protocol to send spam messages. This method
makes IP-based blacklist filtering considerably more difficult,” the analysis said.
Waledac is one of the more intriguing botnets in recent years, not because of its methods or targets, but because of its resilience. Microsoft and some other groups took action against the Waledac botnet in February 2010, in large part to stem the tide of spam messages that were flooding email servers at Hotmail and other consumer email services. Within a month of the action, which involved taking down hundreds of domains Waledac was using for command and control, the botnet was essentially dead in the water.
However, late last year Waledac appeared to spring back to life, beginning a major spam campaign right around the end of December and beginning of January, sending out the always-popular holiday e-cards. And spam levels in general began to spike in late January. But, the TLLOD researchers said that the renewed spam activity from Waledac came well after the botnet’s creators began offering a new service for getting C&C servers up and running.
“In addition to the compromised credentials, we also had visibility of
newly infected nodes connecting to a bootstrap Command-and-Control
server. The bootstrap server speaks a proprietary protocol known as
ANMP, and disseminates a list of router nodes (other compromised hosts)
to infected machines. Note that every node generates a random 16 byte
ID, that is reported back to Waledac’s C&Cs. Our analysis indicates
that the bootstrap service first appeared online on December 3, 2010
well before the New Year’s spam campaign. In total, there were 12,249
unique node IDs that connected to the bootstrap C&C, and 13,070
router IDs,” Brett Stone-Gross said in his analysis of the Waledac resurgence.