Series: Looking through the keyhole – Waldec

March 25, 2009


The Son of Storm.

This is essentially a rewrite of the Storm worm with a much much stronger command and control channel protection scheme using RSA encryption as written by the awesome Shadowserver Foundation.  Here is an excellent series of articles trackings its growth called the Waldec Tracker.

shadowserver_transp_2-500x167

With robust encryption starting to become the norm, IE Conficker is now doing Robust Encryption it will be computationally infeasible to crack and observe the Command and Control traffic as well as conduct integrity attacks and command insertion into these botnets. 

That means we need to be more innovative.. or get some balls and be ruthless.  If your opponent gets smarter than you are, your better off just bashing him in the fucking head.  Pardon my french.

waldec6

They are still using the same tricks, social engineering, email spam for propagation and fast flux for resiliency.

One of the awesome things its doing is crafting custom socially engineered LOCALIZED email spam based on a disaster theme and using GEOIP to localize it to the victims community.  So for example if you live in SanFrancisco it would say something like a Terrorist attack on the Golden Gate Bridge, or an Earth Quake.  Anything to lure the suckers in…

waldec1

Here is alook at the network structure.

waldec21

Thats a whole lotta pwnage boys and girls.  Keep your data close…. Here is the geographic distribution

waldec4

Here are some good links to track Waldec Domains.

Advertisements

One Response to “Series: Looking through the keyhole – Waldec”

  1. The geographic distribution of data looks to me like viruses under an electron microscope.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: