Security Researchers Find Waledec’s Hidden Cache

Security researchers have discovered that the Waledec botnet has over half a million login names and passwords for a variety of email accounts. They also found close to 125,000 logins and passwords for various FTP servers.

Waledec has been conducting a malicious campaign that compromises legit sites and redirects them to shady pharmaceutical websites. It’s likely the FTP logins are used to log in to servers and upload the code used in the redirects. The email logins were almost all for POP3 rather than webmail accounts.

These credentials are known to be used for “high-quality” spam campaigns. The technique abuses legitimate mail servers by authenticating as the victim through the SMTP-AUTH protocol to send spam messages. This method makes IP-based blacklist filtering considerably more difficult, security firm Last Line of Defense said on their blog.

Waledec had been infiltrated and shut down by a collaborative effort between Microsoft and the University of Mannheim in Germany and the University of Vienna early last year. It was quiet until after Christmas when it suddenly came back to life and started pumping out fake Happy New Year cards.

Botnet herders have learned much from shutdowns like McColo that knocked several major botnets offline for months. These days, thanks to changes in how and where their command and control servers are hosted, they can be back in business just days after a shutdown.

This would be a good time to check your company’s FTP logins; shut off any that aren’t used and make sure the others have strong passwords that are changed regularly.