I had a few spare minutes today and ran some quick queries on some of the data collected by my Waledac Tracking Scripts. The first set of queries I did were for the ASN information against the IP addresses that I actually retrieved Waledac Trojan Binaries from. Here is a text file for the bulk queries I ran against the Team Cymru’s ASN whois database: asn_binary_ips. Here are some summary stats:
So it appears that most of the hosts I have retrieved Waledac Trojaned binaries from are located in the US. I also have some scripts that crawl the Double Fast Flux network for NS records and A records since both of them change as the TTL expires. The Waledac Botnet seems to follow the same tactics the Storm Worm did where the malicious web servers, dns servers, and spam bots all reside on the same compromised hosts. These hosts use the Ngnix web server to proxy requests through compromised bots to the main command and control (C&C) servers to conceal their identities. Unlike the Storm Botnet, the Waledac botnet does not appear to use the P2P network to exchange bot nodes, but instead it seems to exchange bot nodes through the HTTP protocol via encrypted channels. I have not had a chance to dive deep into the Waledac Trojan’s binary, but it is definitely on my to do list. With that being said here are some stats form my Waledac crawler scripts: ips_asn.
My crawler scripts are really just Fast Flux bruteforce scripts, so by no means do they represent the actual size of this botnet or it’s true geographical distribution. With that being said it looks like the US is leading the way with infected bots. For many of us the Waledac Trojan appears to be a nuisance that may be hard to shutdown, or combat with our traditional methods such as IP blocks, DNS Blackholing, Spam Filtering, and Proxies. With that being said I would recommend user training and awareness, which is one of the hardest things to actually do. We really need to get the average end user up to speed and educated on these types of malware. I am not sure what the best approach to do this is, but the dissemination of information out to your end users would be a good start. Preach to them that video codecs, ecards, and news articles do not require them to install executable’s to be viewed and if they are prompted to install these to contact the help desk or their system administrator immediately. Trojans like Waledac and the old Storm Worm use these social engineering tactics very well, but they also from time to time contain exploit packs like Mpack to hit users with an array of exploits in a structured and very effective manner. Although Mpack has been dead for a while, it is just an example and exploit packs like EL Fiesta are seen in the wild daily, so don’t let your guard down by thinking that if a user did not download the binary that they are not infected. The best advice I can give right now is to visit the machine and do some quick forensic checks to verify the host is not infected. Once I have time to really dive into this Trojan, I will post what I find to hopefully aid in identifying compromised hosts and maybe even some IDS signatures.
As always if you have any questions or comments feel free to hit me up. Good luck with this new threat, as it seems to be a presistent trojan that may be here to stay for a while.