[ISN] Researchers pry open Waledac, find 500,000 email passwords

From: InfoSec News <alerts_at_private>
Date: Wed, 2 Feb 2011 05:12:47 -0600 (CST)
http://www.theregister.co.uk/2011/02/02/waledac_account_compromise/

By Dan Goodin in San Francisco
The Register
2nd February 2011 

Researchers have taken a peek inside the recently refurbished Waledac 
botnet, and what they've found isn't pretty.

Waledac, a successor to the once-formidable Storm botnet, has passwords 
for almost 500,000 Pop3 email accounts, allowing spam to be sent through 
SMTP servers, according to findings published on Tuesday by security 
firm Last Line. By hijacking legitimate email servers, the Waledac gang 
is able to evade IP-based blacklisting techniques that many spam filters 
use to weed out junk messages.

What's more, Waledac controllers are in possession of almost 124,000 FTP 
credentials. The passwords let them run programs that automatically 
infect the websites with scripts that redirect users to sites that 
install malware and promote fake pharmaceuticals. Last month, the 
researchers identified almost 9,500 webpages from 222 sites that carried 
poisoned links injected by Waledac.

The discovery comes a month after a new malware-seeded spam run was 
spotted. This had all the hallmarks of the storm botnet. Storm was all 
the rage in 2007 and 2008 but the botnet then turned largely silent, 
most likely as a result of the prolific amounts of spam it generated. 
Among the sleeping giants stirred by that success was Microsoft, which 
last year successfully sued to obtain 276 internet addresses used to 
control Waledac.

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/
Received on Wed Feb 02 2011 - 03:12:47 PST

This archive was generated by hypermail 2.2.0 : Wed Feb 02 2011 - 03:21:43 PST