14 DAY TRIAL // Security researchers warn that after getting an overhaul on Christmas, then going silent at the beginning of January, the Waledac botnet has returned to sending pharma spam.
Waledac, widely considered to be the successor of the notorious Storm botnet, the top threat on the Internet during 2007 and 2008, was severely crippled by Microsoft in March 2010.
In Septmeber last year, a court awarded ownership of the 276 domains used for command and control purposes by the Waledac bot herders to the Redmond software giant and everyone believed that the botnet was history.
However, around Christmas, a new spam campaign began directing users to a site serving a piece of malware that displayed a lot of similarities to the trojan.
This led to security researchers calling the new threat Waledac 2.0. The almost one thousand computers infected with were mainly used for self-propagation through more spam.
But on around 5th or 6th of January the botnet suddenly went dead. No more spam traffic and no more active C&C domains.
"The reason of this blackout are not clear, however, about five days later (between the 10th and 11th of January) the botnet was up and spamming again," Symantec security expert Andrea Lelli, says.
"This is the same time as another old friend seems to have resurrected: the Rustock botnet has been reported to be back online with pharmaceutical spam. And guess what? Waledac is now spamming out pharmaceutical-related emails too! A suspicious coincidence indeed," the researcher adds.
Another coincidence is that the majority of people in Russia celebrate Christmas on January 7th, because the Russian Orthodox Church follows the old Julian calendar.
Along with the new instructions to push out pharma spam, Waledac 2.0 also received a minor update to the binary which appears to have fixed a bug in the code. The botnet has now grown to 1,400 hosts and has a solid fast-flux peer-to-peer architecture, making it resilient to takedown.