500,000 stolen e-mail credentials for Waledac’s comeback

Almost a year ago, the Waledac botnet was crippled by a legal action initiated by Microsoft which resulted in the takedown of 273 Internet domains that were being used as C&C centers for the infected computers.

As we all know, this type of measures is only partly effective when dealing with the botnet problem, so the recent news that the Waledac botnet is back in business should not have been a big surprise.

Security researchers are still monitoring its activities and recently the team from Lastline has managed a peek into a stash of stolen credentials the botmasters have managed to acquire. They found 489,528 credentials for POP3 e-mail accounts and 123,920 login credentials to FTP servers.

The POP3 e-mail account credentials are used for “high quality” spam campaigns. Judging by the number of credentials the botnet controllers have at their disposal, the Waledac botnet has the ability to rise to its former glory.

A widespread e-mail spam campaign using legitimate mail servers means that a great number of those messages might actually reach the intended inboxes, since the situation makes IP-based blacklist filtering more difficult.

The number of compromised FTP server login credentials is also worrisome. “This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals,” say the researchers.