Researchers Uncover Credentials Stolen By Waledac

Researchers have found a huge number of stolen email passwords and FTP credentials stolen by a botnet

Microsoft made waves last year when it led the legal charge against Waledac’s operators and gained control of 276 domains belonging to the botnet.

Despite this however it is clear that Waledac does not die easily, something underscored recently by researchers at The Last Line of Defense, which uncovered a trove of nearly 124,000 FTP credentials stolen by the botnet.

The login credentials to the FTP servers are a key part of Waledac’s operation. According to The Last Line of Defense, the botnet’s operators are using an automated program to log in to those servers to redirect users to sites that serve malware or promote cheap pharmaceuticals. In January, researchers observed 222 websites, containing 9,447 pages that had been compromised.

Compromised Websites

Most of the sites were relatively low-traffic, Brett Stone-Gross, a threat analyst for The Last Line of Defense, told eWEEK.

“The category of (the) sites was all across the board, including personal websites, SMBs, adult, religion, etc.,” he said.

At the start of the year, security pros linked Waledac to an e-card spam campaign that was making the rounds on the Internet. Waledac’s resurrection followed legal manoeuvring by Microsoft, which won a decision against the botnet’s masterminds last September. Once capable of sending out more than 1.5 billion spam messages a day, the number of unique infected IP addresses dropped to 58,000 by 30 August, 2010, Microsoft said in September.

“Microsoft was previously able to take down the Waledac infrastructure so that infected hosts could no longer communicate with the botnet controllers,” Stone-Gross said. “However, those behind the Waledac operation (once again) used their expertise in social engineering to propagate their malware through greeting cards, in order to recruit machines into the botnet with a new command-and-control center.”

The Last Line of Defense is working with a number of organisations to notify the victims, he said.

Treasure Trove

In the event FTP credentials are stolen, organisations should not only move to change the relevant passwords but also the IP addresses of the servers involved, advised Roy Adar, vice president of product management for Cyber-Ark.

But FTP credentials were not the only thing that was found. Researchers also discovered 500,000 stolen passwords for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns, Stone-Gross wrote in a blog post. The technique, he added, abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages, thereby making IP-based filtering considerably more difficult.

“In addition to the compromised credentials, we also had visibility of newly infected nodes connecting to a bootstrap Command-and-Control (C&C) server,” he blogged. “The bootstrap server speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines. Note that every node generates a random 16 byte ID, that is reported back to Waledac’s C&Cs. Our analysis indicates that the bootstrap service first appeared online on 3 December 2010, well before the New Year’s spam campaign.”

In total, he blogged, there were 12,249 unique node IDs connecting to the bootstrap C&C, and 13,070 router IDs.

“The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote.