Original URL: http://www.theregister.co.uk/2011/02/02/waledac_account_compromise/

Researchers pry open Waledac, find 500,000 email passwords

Son of Storm is back

By Dan Goodin

Posted in Security, 2nd February 2011 00:13 GMT

Researchers have taken a peek inside the recently refurbished Waledac botnet, and what they've found isn't pretty.

Waledac, a successor to the once-formidable Storm botnet, has passwords for almost 500,000 Pop3 email accounts, allowing spam to be sent through SMTP servers, according to findings published on Tuesday by security firm Last Line. By hijacking legitimate email servers, the Waledac gang is able to evade IP-based blacklisting techniques that many spam filters use to weed out junk messages.

What's more, Waledac controllers are in possession of almost 124,000 FTP credentials. The passwords let them run programs that automatically infect the websites with scripts that redirect users to sites that install malware and promote fake pharmaceuticals. Last month, the researchers identified almost 9,500 webpages from 222 sites that carried poisoned links injected by Waledac.

The discovery comes a month after a new malware-seeded spam run was spotted. This had all the hallmarks of the storm botnet. Storm was all the rage in 2007 and 2008 but the botnet then turned largely silent, most likely as a result of the prolific amounts of spam it generated. Among the sleeping giants stirred by that success was Microsoft, which last year successfully sued to obtain 276 internet addresses used to control Waledac.

“The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” the Last Line researchers wrote.

In addition to a generous helping of compromised credentials, Waledac also comes with a new command and control system that disseminates a list of router nodes to infected machines. ®