Monitoring the Waledac Botnet
We have just presented our work about monitoring the Waledac botnet at the European Conference on Computer Network Defense (EC2ND). The main focus of the paper is to get a more insight look at the botnet, that is supposed to be the successor of the Storm Worm botnet. By analyzing the communication infrastructure we managed to construct a fake Waledac instance, called Walowdac, to infiltrate the botnet and collect interesting information. The following image shows the number of bots counted during a single day in august 2009. More information about the approach is presented in the paper.
Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.
This work is a collaboration with Ben Stock, Markus Engelberth, Felix Freiling, and Thorsten Holz.