Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
After being effectively dismantled last year by a judge's ruling, the Waledac botnet has made a resurgence, and its operators are now in control of a cache of stolen credentials, according to researchers at security firm LastLine.
Researchers were recently able to get an “inside view” of the botnet and discovered that its operators have control of a huge amount of stolen FTP and email credentials, Brett Stone-Gross, a developer and threat analyst at LastLine said on Wednesday. The stolen credentials may have been bought on the underground market or extracted from compromised machines.
Specifically, those behind the botnet are harboring nearly 500,000 email credentials, which likely will be used to deliver spam, Stone-Gross said. Using the stolen credentials to authenticate as the sender before pushing out spam, attackers can bypass IP-based email filtering systems.
“The benefit is that you are using a legitimate mail server rather than compromised machine to send the email,” Stone-Gross said. “IP-based blacklists are pretty much useless at that point.”
Waledac botmasters also have amassed nearly 124,000 credentials to FTP servers. Those behind the botnet use an automated program to login to these servers and upload files that redirect users to sites that serve malware or promote pharmaceuticals.
Last month, researchers discovered 222 websites that had been compromised with this method.
“The Waledac botnet remains a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” Stone-Gross wrote in a blog post Wednesday.
A federal judge last February ordered the takedown of nearly 300 domains being used to provide instructions to malware-infected computers, effectively incapacitating Waledac. Later in the year, it seemed the fight to dismantle the botnet was over when Microsoft was granted ownership of the domains.
But despite the security community's best efforts, those behind Waledac began sending out fake e-cards late last year aiming to infect users with malware as a means of rebuilding the botnet, Stone-Gross said.
Criminals have also set up new command-and-control servers to send instructions to infected machines.
“Microsoft took out the command-and-control infrastructure so infected machines couldn't receive instructions,” Stone-Gross said.
“They had to reconstruct the botnet from scratch.”
Around the beginning of the year, botmasters shifted their efforts to money-making ventures and began sending unwanted messages redirecting users to Canadian pharmacy sites that sell cheap drugs, he added.
“Despite [Microsoft's] success last year, it is impossible to monitor and shut down every malicious site as quickly as the perpetrators set them up,” Adam Bosnian, vice president of the Americas at security firm Cyber-Ark said.
“Cybercriminals will continue to finds news ways to perpetrate malicious activity on unsuspecting individuals.”
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
