A new variant of the Waledac botnet has reappeared, with pharmaceutical spam being distributed.
The botnet reappeared at the end of 2010, sending out a New Year themed spam email where a URL in the email asks the recipient to download a fake Adobe Flash player, however this campaign ended on January 4.
The new pharmaceutical campaign also uses redirections via compromised legitimate sites with the links not just sending the user to malicious content, but just to spam, though that could change at any point if the people behind Waledac decide to grow the botnet.
Carl Leonard, senior manager of Websense Security Labs, said: “When botnets shut down over Christmas, global spam levels took a welcome dive. But the holiday is over now as we see sleeping botnets reactivate with a vengeance one-by-one.
“Waledac is the latest to stir back into life reverting back to its favourite pharmaceutical spam topics. As for the hiatus in activity, I presume that cyber criminals took some time off just the same as everyone else.”
Symantec's Andrea Lelli said: “This new variant (named W32.Waledac.B) implements the advanced network management protocol (ANMP) in order to organise all the bots in a peer-to-peer network that has the characteristics of a fast-flux network. This kind of network is resistant to bots going online and offline and it can reconfigure itself very quickly, rendering it a very dangerous botnet.
“The peers communicate with each other through messages and all the communications use strong encryption and digital signing. We analysed the network messages being exchanged among the peers, before and after the downtime and we could see an update in the version numbers (from 0.0.49 to 0.0.51) and in the spam job message, which was now including also the pharmaceutical spam messages (as opposed to the previous spam job, which contained spam related to e-cards).
“This new added code seems to be simply validating a parameter (the size of the send queue). Perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set? Perhaps this bug caused the botnet downtime that we observed? We do not know, maybe the botnet herders were just waiting for the next strike, but this was definitely a curious detail on the software side.”
