Posts Tagged ‘Waledac 2.0’

The Last Line Of Defence on Waledac 2.0

2011/02/02 Leave a comment

TTLOD wrote on their blog about the reappearing Waledac Botnet (a.k.a SLM / Storm) starting sending out malicious e-cards begining with new years eve using stolen credentials.

What seems to be the most impressing here are the analogies to the Primiframe attacks.

In particular, we found that the botmasters have a tremendous amount of stolen credentials. More specifically, they have 123,920 login credentials to FTP servers at their disposal. This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals.

I think the amount of stolen credentials from Filezilla users is much higher, it might be some kind of 1 million or more credentials.

Additionally, stored e-mail credentials were stolen in the Waledac attacks

We also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns. The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult.

Right now, the priemliframe attacks look like a testrun of new Botnet. The payload seems to just uploads found credentials and exits. It doesnt install itself into the startup directory to not be found from future antivirus clients.

If you had an primliframe attack on your server, change _ALL_ your passwords!

Let’s see whats next.