Waledac back from the dead

gallery

The Waledac botnet made a massive comeback in the past week, having stopped spamming altogether on 4 January.

Various mega-botnets appeared to take a break from their spamming duties over the past month, leaving security researchers at a loss as to why, but this week a big resurgence was recorded.

Members of Waledac, also known as the Storm botnet, were sent a new variant and on 12 January the network began spamming again.

“Now it's back to sending pharmaceutical spam promoting ‘the magic blue pill’ which we have seen previous versions of Waledac do in the past,” Websense explained in a blog.

“As in previous spam campaigns, the spammers are using redirections via compromised legitimate sites.”

The updated botnet appears to have grown as well, according to Symantec, with 1400 bots seen between 11 and 12 January, with most discovered in the US and Europe.

The new version of Waledac has organised its bots in a peer-to-peer network containing “the characteristics of a fast-flux network,” Symantec said.

“This kind of network is resistant to bots going online and offline, and it can reconfigure itself very quickly, rendering it a very dangerous botnet,” the security giant’s Andrea Lelli said in a blog.

Lelli hypothesised on reasons behind the botnet’s downtime as well, having investigated some updated Waledac code.

“This new added code seems to be simply validating a parameter (the size of the send queue); perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set,” she added.

“Perhaps this bug caused the botnet downtime that we observed?”

Symantec also said it was a “suspicious coincidence” Waledac had started spamming again at the same time as the Rustock botnet, another serious spammer, resurrected its activities.

Email to a friend

Print this page