Return from the Dead: Waledac/Storm Botnet Back on the Rise

The e-mail spam panorama is definitely showing an interesting trend lately. If you follow the news you may have noticed that a drop in e-mail spam activity was reported in the last couple of months; however, evil is never really defeated, and it is now back with new weaponry. We have already mentioned how a new wave of Waledac (also known as the Storm botnet) is back along with its spam activity since the 1st of January.

The timing of all this does not seem to be coincidental: the drop in spam e-mails began back in October, when the Spamit operation seemed to have shut down for good. This event has been suggested as the cause of the spam drop, together with the drop of botnet activities.

Rebirth, death and re-rebirth of Waledac

With the new year, Waledac resurrected and started a new spam campaign by distributing itself and installing a misleading application into compromised computers. The botnet was observed to be composed of about slightly less than a thousand computers. Suddenly, between the 5th and the 6th of January the botnet appeared to have died: all the domains used by the botnet were not resolving to any IP address anymore, and its activity seemed to have vanished. The reason of this blackout are not clear, however, about five days later (between the 10th and 11th of January) the botnet was up and spamming again. This is the same time as another old friend seems to have resurrected: the Rustock botnet has been reported to be back online with pharmaceutical spam. And guess what? Waledac is now spamming out pharmaceutical-related emails too! A suspicious coincidence indeed.

What and who?

After the downtime, the botnet came back up and an update followed: the binary executable of the bot was updated, the code itself showed small changes, and the network messages exchanged by the botnet peers showed a new message containing a spam job involving pharmaceutical spam rather than misleading applications. The spam activity is quite similar to the one we already described when the Waledac first came out.

Figure 1:Example of pharmaceutical spam sent by Waledac

The spammed links will redirect the user on a domain controlled by the botnet, which in turn is a redirector to a domain owned by the “Trusted Tabs” branding, a notorious pharmaceutical spam operation group.

Although we mentioned Rustock, it is worth saying that this branding is not the one that is known to be associated with Rustock (which is the Canadian Pharmacy branding). It is unclear if there is any link between the two; the issue is currently under investigation.

Figure 2: The website of the Trusted Tabs pharmaceutical branding

The newly updated botnet seems to have grown a bit: about 1400 bots observed in the last 24 hours, with its main distribution being in the United States and Europe.

Figure 3: Distribution of the malware

Details on the latest updated version

A deep analysis of the botnet has been already performed in a previous blog entry. This new variant (named W32.Waledac.B) works the same way: it implements the ANMP protocol in order to organize all the bots in a peer-to-peer network that has the characteristics of a fast-flux network. This kind of network is resistant to bots going online and offline, and it can reconfigure itself very quickly, rendering it a very dangerous botnet.

The peers communicate with each other through messages, and all the communications use strong encryption and digital signing.We analyzed the network messages being exchanged among the peers before and after the downtime, and we could see an update in the version numbers (from 0.0.49 to 0.0.51) and in the spam job message, which was now including also the pharmaceutical spam messages (as opposed to the previous spam job, which contained spam related to e-cards).

Figure 4: Two messages being passed before and after the downtime, suggesting an update

Interestingly, the binary executable also has been updated, and it doesn’t show too many changes from its predecessor, except for some interesting bits:

Figure 5:Two pieces of code that were added in the last update

This new added code seems to be simply validating a parameter (the size of the send queue); perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set. Perhaps this bug caused the botnet downtime that we observed? We don’t know, maybe the botnet herders were just waiting for the next strike, but this was definitely a curious detail on the software side!

The best protection from this threat is, as usual, common sense. Do not open email from unknown senders, do not open emails that contain spam about pharmaceutical products, and if you want to click a link, double check what website the link is pointing to. In most cases the links that arrive through spam have gibberish names, so be careful and always double check what you are clicking on.