In an analysis of Virut botnet samples, Symantec researchers observed the malware downloading Waledac variants, suggesting that the gangs responsible for each botnet may be cooperating with one another through some sort of affiliate program, or, at the very least, that the two threats coexist and function on single infected machines.
Virut’s command and control server domains recently suffered a temporary outage because of judicial proceedings in its host-country, Poland. The outage gave Symantec’s researchers an opportunity to gather information about the network. They determined that botnet consists of more than 308,000 uniquely compromised machines and that its primary function is to pump out spam and other malicious emails.
Waledac, on the other hand, is pretty well-known. It’s one of those security industry problems, like Conficker and AutoRun, that just never seems to go away. Microsoft famously crippled the thing in a 2010 takedown-attempt, but it has resurfaced since then.
Now, at least in part because if its affiliation with Virut, the number of Waledac-infected machines are once again on the rise.
Symantec conservatively estimates that a quarter or more of Virut zombies could also play host to Waledac variants. In its test environment, Symantec observed compromised machines firing off an average of 2,000 spam emails an hour.
So, with some 77,000 Waledac-infected machines within the Virut botnet generating an average of 2,000 spam messages an hour for somewhere between 8 and 24 hours a day, depending on how often users power down their computers, Symantec estimates that Waledac could potentially generate somewhere between 1.2 and 3.6 billion spam emails per day from within the Virut botnet alone.
The campaign is generating 16 unique subject lines and 13 unique email bodies for their spam. Symantec claims that some lead to Canadian pharma-sites while others attempt to peddle fake performance enhancing drugs.
“The coexistence of Virut and Waledac on a single computer is further example of malware groups using affiliate programs to spread their threats,” the researchers wrote, “and that threats can be linked and coexist on an already compromised computer.”