Big Bad Botnets Combine To Send Billions Of Spam Messages

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Waledac makes a comeback by piggybacking on top of a virulent buddy

Two massive botnets have been combined to form what could be one of the biggest spam campaigns ever created.

Waledac malware, which was supposed to be out of action since 2010, as a result of a botnet takedown operation led by Microsoft, has made its way back onto machines via the Virut virus.

In its heyday, Waledac was one of the biggest botnets in existence, capable of sending out significant amounts of spam, until Microsoft gained a court order to seize the domains associated with the malicious network in 2010.

But it reared its ugly head again in 2011 and 2012, and now looks to be having a comeback with the help of Virut.

The Virut botnet consists of 308,000 bots, and has been sending out email spam as well as carrying out other malicious activities.

Botnets joining forces

Symantec discovered Virut downloading an updated version of Waledac, before sending spam email via servers in a list received from the command and control (C&C) infrastructure.

“During our analysis in a controlled environment, we observed a compromised computer sending approximately 2,000 emails per hour,” the security giant said in a blog post.

“Conservatively, if a quarter of the estimated 308,000 computers infected with W32.Virut download W32.Waledac.D, then potentially billions of spam emails can be sent from these computers.”

Symantec produced the below table, showing its estimates for the size of the spam campaign:

“The coexistence of Virut and Waledac on a single computer is further example of malware groups using affiliate programs to spread their threats, and that threats can be linked and coexist on an already compromised computer,” Symantec added.

“The volume of spam that can be sent from each bot is quite significant and the combination of multiple compromised computers could potentially lead to billions of spam messages being sent out by W32.Waledac.D per day.”

Meanwhile, Trend Micro has set up a global botnet map, showing locations of C&C servers and victim computers. At the time of publication, it had recorded 618 C&C servers as active in the last two weeks, as well as 483,589 active connections.

Check out the map here.

What do you know about online security? Try our quiz and find out!