The Waledac binary changes fairly often to avoid Antivirus Detection and modify the seeded IP addresses hard coded into the binary. There are normally 30 hard coded IP addresses within the Waledac binary, which are used to establish the initial communication with other infected nodes on the botnet. Once this initial communication within the botnet occurs a larger list of IP addresses is exchanged in a HTTP P2P fashion to ensure reliable connectivity to other botnet nodes even when multiple infected nodes go offline or are cleaned up.
So how often does the binary change?
I created a new table view into my database just to answer this question (Waledac Update Cycle). This new view displays only binaries (distinct MD5 sums) that have been seen more than once to eliminate the inclusion of the corrupted binary downloads performed by my Waledac tracking scripts. Here is a snapshot of the table for reference:
The table is pretty self explanatory, and the key column is the last column. This Lifetime column shows in Hours:Minutes:Seconds how long a Waledac Binary has been in place. With the default sort applied to the Last Seen column you can also visually see the approximate time a new binary was pushed out by the Waledac authors. So back to the original question what is the average update cycle for Waledac binaries? Averaging the the last column I came up with 15 Hours, 48 Minutes, and 21 Seconds. Obviously this is not an exact calculation in that I am not retrieving a new Waledac binary every second of the day, but it does provide a fairly decent approximation.
I was also hoping this new view may have been able to identify a pattern in the binary update times as well, but I do not really see a clear pattern other than the authors seem to prefer evening updates over morning updates in the CST timezone. This isn’t always the case though, as there are several binary updates that occurred during the morning hours as well. Maybe over a longer period of time a pattern will surface, who knows. Since there is no apparent pattern or single hour in which the updates occur I would venture to say that the binary updates are being performed manually by the authors. I venture to say this in that if the authors had a script or cron job scheduled performing these updates for them on a regular bases the updates would most likely occur at the same time everyday. This is not the case, so I would assume they are performing the updates manually.
As always feel free to comment or suggest new view points into my data, as I am always interested in hearing how this data can be improved upon or viewed in a new an interesting way.