Waledac Botnet Returns

Thursday, February 16, 2012 @ 02:02 PM gHale

The Waledac botnet went away almost two years ago, but that was surely not the end because a new variant is now out that not only issues a boatload of spam, it also steals sensitive data from the infected devices.

The new version of Waledac was in action at the beginning of February and researchers have been analyzing it ever since. They conclude that it’s still sending spam, but it can also steal passwords and authentication data, including credentials for FTP, POP3, SMTP, said researchers at Palo Alto Networks.

Hosting Site Stores Stolen Files
New Malware in New Botnet
Botnet Taken Down, then Resurfaces”
Malware with Customer Support

Besides this, Waledac also steals .dat files for FTP and BitCoin and uploads them to the botnet.

By relying on their WildFire systems, which enable a firewall to capture unknown files and analyze them in a malware sandbox, Palo Alto Networks were able to identify how the new variant behaves.

Palo Alto Networks said that this is not the old botnet, but a new variant.

Symantec also covered the emergence of the new botnet. The security solutions provider spotted it at doing what it does best: Spamming.

An email targeting only Russian users served a website called Rospress which promoted slanderous articles, but it was uncertain if the purpose was to smudge the upcoming Russian elections or merely to advertise the site.

“While it is not clear whether the intent of this Waledac spam campaign has been to promote the Rospres.com site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant,” Symantec experts said.

Leave a Reply

You must be logged in to post a comment.