Home > Security > The Last Line Of Defence on Waledac 2.0

The Last Line Of Defence on Waledac 2.0

TTLOD wrote on their blog about the reappearing Waledac Botnet (a.k.a SLM / Storm) starting sending out malicious e-cards begining with new years eve using stolen credentials.

What seems to be the most impressing here are the analogies to the Primiframe attacks.

In particular, we found that the botmasters have a tremendous amount of stolen credentials. More specifically, they have 123,920 login credentials to FTP servers at their disposal. This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals.

I think the amount of stolen credentials from Filezilla users is much higher, it might be some kind of 1 million or more credentials.

Additionally, stored e-mail credentials were stolen in the Waledac attacks

We also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns. The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult.

Right now, the priemliframe attacks look like a testrun of new Botnet. The payload seems to just uploads found credentials and exits. It doesnt install itself into the startup directory to not be found from future antivirus clients.

If you had an primliframe attack on your server, change _ALL_ your passwords!

Let’s see whats next.


  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: