Personal Data Stolen to Launch Spam Messages
A study conducted by researchers at The Last Line of Defense, a security expert that consists of professors and grad students from universities worldwide, shows that almost 500,000 passwords for email accounts, with approximately 125,000 sets of pilfered credentials for FTP accounts, have been stolen by the botnet Waledac.
The researchers found that the email credentials have been used by Waledac to ward off blacklisting when launching spam campaigns.
“Recently, we were able to get an inside view of Waledac’s resurrection, and assess its strength. In particular, we found that the botmasters have a tremendous amount of stolen credentials. More specifically, they have 123,920 login credentials to FTP servers at their disposal,” said TLLOD in its blog.
“This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals,” it added.
According to its analysis, a total of 489,528 credentials for POP3 email accounts have been used for “high-quality” spam campaigns that abuse genuine “mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages.”
The research further found some infected nodes connecting to a bootstrap server called Command-and-Control, which “speaks a proprietary protocol known as ANMP, and disseminates a list of router nodes (other compromised hosts) to infected machines.”
“In total, there were 12,249 unique node Ids that connected to the bootstrap C&C, and 13,070 router IDs,” said Brett Stone-Gross said in his analysis of Waledac.
In February 2010, Microsoft and other software groups tried to stop the spam campaigns of Waledac by taking down the domains that the botnet used for command and control. However, December last year, Waledac has sprung back to life and started sending holiday e-cards to consumers’ mail servers.