Skip to main content

Waledac botnet poised for comeback?

About a year ago a federal judge granted a very unusual request by Microsoft to shut down almost 300 domains that were used as command-and-control centers for the Waledac botnet. The move was generally hailed as a success by the security community: it dealt Waledac a huge blow and the botnet all but dropped off the radar of most online threat analyses. However, now Waledac seems to be back—and this time it’s armed with a sizable cache of valid FTP and email credentials that enable it to alter Web pages to serve malware and send “high quality” spam under the names of legitimate ISP customers.

According to security vendor Last Line, Waledac has accumulated almost half a million valid login credentials for POP3 email accounts around the Internet, as well as more than 120,000 valid login credentials for FTP servers. The vast number of login credentials may be significant: Waledac’s controllers use the credentials to log into the servers and, where possible, alter the contents of existing Web pages to server malware, promote pharmaceuticals, or engage in other forms of online scams. The POP3 logins mean that Waledac-controlled computers can connect o ISPs as legitimate customers—and send email using their accounts. The ability to bypass authentication requirements for sending email could give spam from Waledac systems an edge in defeating blacklisting and techniques that validate senders—from the point of view of the receiving system.

“The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses,” Last Line wrote on its blog.

The security community noticed Waledac coming back to life at the end of 2010, but Last Line’s analysis is the first reported look at the resources available to Waledac’s operators.

Editors' Recommendations

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Microsoft Edge gets hit with the same serious security bug that plagued Chrome
The Microsoft Edge browser is open on a Surface Book 2 in tablet mode.

Microsoft just released an Edge browser update that patches a dangerous flaw that could allow a cleverly designed attack to execute arbitrary code. While every security update should be installed promptly, this one is a bit more urgent because the attack is "in the wild" already, meaning that hackers are already taking advantage of this vulnerability to breach security.

Designated CVE-2022-2294, this vulnerability was actually a flaw with the Chromium project, the open-source code that Google's Chrome browser is built upon. Microsoft uses the same base code for the Edge browser, meaning bugs that affect one often plague the other. Google patched the same bug recently and has been keeping quiet about details of the attack to allow others to make similar fixes, since Chromium is quite a popular codebase.

Read more
How to block third-party trackers in your browser
Microsoft Edge browser open on a laptop.

Cookies are data artifacts saved by web browsers on our internet-connected devices. They keep a record of the websites you visit, and in the case of first-party cookies, they're important for certain essential website features.

Read more
Microsoft Defender finally feels like proper antivirus software for individuals
The Windows Security app in Windows 11.

With password attacks and ransomware on the rise, Microsoft has announced the general availability of Microsoft Defender for individuals, a premium, cross-platform, consumer security application for Windows, Android, iOS, and Mac.

Available for paid Microsoft 365 Personal and Family subscribers, this new security offering from Microsoft is the latest step in a journey to bring its security features to all of its users. Building on what's been done with the Windows Security app on Windows, Microsoft Defender for individuals will bring together multiple protections into a single online dashboard.

Read more