After periods of relative quiet, both the Waledac botnet and the Rustock botnet have started back up again, distributing new updates to infected hosts, and resuming the output of significant volumes of spam, this time messages are primarily related to the pharmaceutical industry.
Waledac, one of the largest and most significant spamming botnets of 2010, seemingly shut down in recent weeks, appearing to be completely dormant earlier this month. However, since the 10th, the botnet is back up and running and as prolific as always.
Waledac spreads using social engineering techniques; a holiday-themed email contains a link to view a greeting card. These links are frequently obsfucated using various link shortening services. When clicked, the page indicates that the user cannot view the card without downloading the latest version of Flash, and includes a link to do so. This link of course actually downloads the malware, and then also attempts to fool the user into downloading other fake applications, such as antivirus tools or hard disk maintenance tools.
Analysis of the new Waledac code indicates that the update includes new instructions as well as a fix for what might have been a ‘bug’ in the previous version. Users should take note that the bad guys patch their systems, and follow suit.
Once infected, Waledac compromised systems communicate using the Ad Hoc Network Management Protocol (ANMP.) These Waledac zombies organise themselves into a peer-to-peer network, using encrypted communications to pass instructions and payloads originiation from the Command and Control node out to the rest of the army of compromised end user systems. This makes it very difficult both to intercept and interpret the messages, and to track them back to the originating network.
Rustock, the most significant botnet of 2010, has also resumed activities, and just like Waledac, the spam messages all seem to relate to the pharmaceutical industry. This similarity in the new focus for the spam, and that both botnets went dark and then resumed activities at approximately the same time, has led to speculation that they may both be controlled by the same individuals or groups. Others have suggested that the controlling interests may have simply gone on vacation, and have returned from their holidays well rested and ready to resume filling our inboxes with junk. Whatever the reason for the quiet start to the New Year, that is definitely over.
While current volumes are lower than their 2010 peaks, both botnets have a history of starting slowly and then working their way up in terms of total volume, and infected hosts. The relative quiet of Q4 2010 is gone, and 2011 promises to be an interesting year in the fight against spam.
To help combat this and other spam threats, admins should maintain an awareness campaign, reminding users of ways to protect themselves at home as well as at work. These should include both DO and DON’T activities such as…
DO maintain antivirus software on all machines
DO update antivirus definitions daily
DO patch your machines for both operating system and applications
DON’T click on links in emails unless you were expecting them
DON’T install software downloaded from the Internet unless you trust the source
DON’T click on links in SPAM messages