Symantec Digs Roots of Waledac Botnet
In a series of blog posts and in a new paper, Gilou Tenebro, researcher at Symantec, has discussed the aspects that led Waledac to become one of the most dynamic botnet at present, reported eWeek on September 4, 2009. Tenebro has thoroughly studied all facets of Waledac, ranging from its armoring and bootstrapping capabilities to the techniques used by it to launch spam campaigns.
As per the researcher, Waledac's P2P (peer-to-peer) capability is at the middle of its success that provides it with extra resistance to ISP takedowns, such as the one which crippled Srizbi.
Majority of botnets are still using the traditional command and control paradigm for communicating with their bots that offers them easy management at the expense of resiliency.
Gerry Egan, Director, Symantec Security Response, said that the stated that the traditional technique has the advantage of being faster, thus it becomes easier for a botmaster to do a task in a short notice of time, reported eWeek on September 4, 2009. But the P2P model is relatively much slower as it makes botnet increasingly resilient to the attempts of takedown, he added.
However, Egan is not much sure on the exact number of bots constituting Waledac at present, saying that its P2P communication makes it difficult to know the exact number. The botnet has expanded by infecting systems across the world through W32.Waledac, a worm that propagates by sending e-mails having links to its own copies. He further explained that the worm opens a backdoor on the infected systems.
Additionally, Tenebro explained that Waledac uses fast flux hosting for its domains, which means that in a short notice of time, a Waledac domain can switch to multiple hosts that can be serving merely as proxies. It becomes harder to track a source in case of a fast flux DNS (Domain Name System) and this is virtually one of the defense mechanisms of Waledac.
The blog of Tenebro further stated that Waledac is a widespread and effectual spam bot that has been enjoying success for past some time. This success is partly attributed to the time and efforts that were put into creating it; especially, the protocol used by Waledac to communicate is encrypted quite strongly.
» SPAMfighter News - 23-09-2009