Waledac botnet wakes up in 2011 with new run of pharmaceutical spam

News by Dan Raywood

A new variant of the Waledac botnet has reappeared in recent days, with pharmaceutical spam being distributed.

A new variant of the Waledac botnet has reappeared in recent days, with pharmaceutical spam being distributed.

The botnet reappeared at the end of 2010, sending out New Year themed spam email where a URL in the email asks the recipient to download a fake Adobe Flash player, however this ended on 4th January.

The new pharmaceutical campaign also uses redirections via compromised legitimate sites with the links not just sending the user to malicious content, but just to spam, but that could change at any point if the people behind Waledac decide to grow the botnet.

Carl Leonard, senior manager of Websense Security Labs, said: “When botnets shut down over Christmas, global spam levels took a welcome dive. But the holiday is over now as we see sleeping botnets reactivate with a vengeance one by one.

“Waledac is the latest to stir back into life reverting back to its favourite pharmaceutical spam topics. As for the hiatus in activity, I presume that cyber criminals took some time off just the same as everyone else.”

Symantec's Andrea Lelli also commented that the Rustock botnet is reported to be back online and also sending out pharmaceutical spam, with about 1,400 bots observed in the last 24 hours, with its main distribution being in the United States and Europe.

Lelli said: “This new variant (named W32.Waledac.B) implements the advanced network management protocol (ANMP) in order to organise all the bots in a peer-to-peer network that has the characteristics of a fast-flux network. This kind of network is resistant to bots going online and offline and it can reconfigure itself very quickly, rendering it a very dangerous botnet.

“The peers communicate with each other through messages and all the communications use strong encryption and digital signing. We analysed the network messages being exchanged among the peers, before and after the downtime and we could see an update in the version numbers (from 0.0.49 to 0.0.51) and in the spam job message, which was now including also the pharmaceutical spam messages (as opposed to the previous spam job, which contained spam related to e-cards).

“This new added code seems to be simply validating a parameter (the size of the send queue). Perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set? Perhaps this bug caused the botnet downtime that we observed? We do not know, maybe the botnet herders were just waiting for the next strike, but this was definitely a curious detail on the software side.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews