The Waledec botnet has allegedly come back to life according to some characterizations within the malware research community. While it is true that a botnet bearing a striking resemblance to Waledec has come online since the holiday season, TJ Campana, senior program manager with the Microsoft Digital Crimes Unit, says this is a different threat altogether.
“It’s a completely new infection base”, assured Campana. “Folks are calling it Waledec because there are similarities in the code.”
The Microsoft senior program manager said, nevertheless, it does look an awful lot like the botnet Microsoft helped take down last February.
Campana did confirm that Waledec is still down, but that this new botnet, which Microsoft calls Kelihos, has a new code base “with similar fingerprints to the previous Waledec botnet”.
He then went on to outline the similarities between the old Waledec botnet and Kelihos: “It’s definitely using a peer-to-peer protocol for communication; it’s using domain names for fallbacks, so it’s sharing peering lists the same way that Waledec did. There are definitely changes made to the code base, and those changes are continuing as they release new versions of the malware.”
Microsoft has a vested interest in clarifying the misconceptions around this new Kelihos botnet, as the company’s Digital Crimes Unit played an instrumental part in a 2010 industry-wide effort to take down Waledec. After helping take Waledec offline, in an effort know as Operation b49, Microsoft was awarded permanent ownership of the 276 domains linked to Waledec by a US district court in Virginia.
As for the key differences between Waledec and Kelihos, Campana said there are definite disparities in the code base, “but it’s largely the same with some subtle differences”, he added.
The Shadowserver Foundation has thrown out names such as Storm 3.0 or Waledec 2.0 for the new botnet, which it says emerged around the Christmas season via a holiday e-card scam.
Microsoft itself has suggested that because large portions of the Kelihos code base is shared with Waledec, the individuals behind this new botnet are “either from the same parties or that the code was obtained, updated, and reused.”
No matter how one labels it, the new botnet has amassed an impressive amount of information in just a short time. Analysis by Brett Stone-Gross, a developer and threat analyst with security firm LastLine, has uncovered the theft of 123,920 FTP login credentials for the new botnet using 222 compromised websites. Add to this the haul of 500,000 email account credentials.
“The Waledac botnet remains just a shadow of its former self for now”, Stone-Gross wrote in a recent blog post, “but that’s likely to change given the number of compromised accounts that the Waledac crew possesses”.