Botnets – Waledac, Mariposa and Storm

Waledac botnet – A spam botnet. As of Jan 2011 , according to researchers at LastLine Inc., the botnet has nearly 124,000 login credentials to FTP servers and 500,000 credentials for POP3 email accounts
According to Brett Stone-Gross, a threat analyst: ” Stolen FTP credentials are used by cybercriminals in automated programs to redirect users to sites that serve malware or promote cheap pharmaceuticals, he said. The stolen email credentials are used to produce high-quality spam campaigns that can dupe antispam filters and IP-based blacklist filtering.
According to a Techtarget article, “Waledac, which was believed to be the successor to the Storm botnet, produced an estimated 1.5 billion spam messages daily at its peak. The botnet has ties to the Conficker/Downadup worm, which gave a variant of Conficker self-propagation abilities. Some security experts believe that those behind Conficker briefly teamed up with those associated with Waledac to monetize the botnet by spreading spam that offered software to read private SMS messages.
Researchers began noticing Waledac’s sudden resurgence in December when security firms detected spam campaigns connected to the botnet. Stone-Gross said the researchers also discovered newly infected machines connecting to a bootstrap command-and-control server. The bootstrap appeared online on Dec. 3, 2010 and enables newly infected machines to receive instructions”
Other botnets:
Storm Botnet – Considered to be the predecessor of Waledoc botnet; It was once once responsible for creating 20 percent of the world’s spam emails to target recipients
Mariposa Botnet – Involved in Denial of Service attacks and cybers scams (where users are lured by websites with coupom codes and upon “clicking on the link could send the shopper to a fake (or illegitimate) site that contains drive-by malware or botnet installation before redirecting them to the real online store, which could lead to the theft of all the sensitive data and user activity on the consumer’s personal computer” (1).
Botnets have Command & Control (C&C) servers from which commands (usually custom encrypted UDP datagrams) are sent to the network of infected client machines. These infected machines called zombies will colect stolen data and send email spam to other machines automatically
Note: A datagram is an independent, self-contained message sent over the network whose arrival, arrival time, and content are not guaranteed.
A UDP datagram is non reliable and there is no guarantee of correct sequencing of data (exactly the opposite of TCP)
1 –

good source of waledac botnet information:,289142,sid14_gci1527003,00.html?track=NL-102&ad=811363USCA&asrc=EM_NLN_13252058&uid=6626054


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: