14 DAY TRIAL // Security researchers analyzing the new Waledac botnet, which appeared at the beginning of this year, discovered that so far it managed to steal as much as 500,000 POP3 email credentials.
Waledac is considered to be the successor of the infamous Storm worm which ruled the threat landscape in 2007 and 2008.
The Waledac botnet was believed to be dead after Microsoft managed to cripple it in March 2010 and then secured ownership of all 276 domain names used to control it.
However, new spam campaigns that hit inboxes around Christmas directed users to a malicious website distributing what turned out to be a new version of the threat.
Security researchers from LastLine, a company providing cybercrime intelligence, has analyzed the new botnet and found a cache of 489,528 stolen POP3 email credentials.
"These credentials are known to be used for 'high-quality' spam campaigns," the researchers say. "The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult," they explain.
In addition, a number of 123,920 FTP login credentials stolen from victims were also found. These are used to upload so called doorway pages on legitimate websites, which then redirect visitors to malware distribution servers or rogue online pharmacies.
A total number of 9,447 such pages were discovered last month on 222 websites. The file names contain randomly generated numbers and letters.
The command and control server has so far registered 12,249 unique node IDs and 13,070 router IDs. These form Waledac's peer-to-peer fallback update mechanism.
"The Waledac botnet remains just a shadow of its former self for now, but that’s likely to change given the number of compromised accounts that the Waledac crew possesses," the LastLine researchers conclude.