Series: Looking through the keyhole – Waldec
March 25, 2009
The Son of Storm.
This is essentially a rewrite of the Storm worm with a much much stronger command and control channel protection scheme using RSA encryption as written by the awesome Shadowserver Foundation. Here is an excellent series of articles trackings its growth called the Waldec Tracker.
With robust encryption starting to become the norm, IE Conficker is now doing Robust Encryption it will be computationally infeasible to crack and observe the Command and Control traffic as well as conduct integrity attacks and command insertion into these botnets.
That means we need to be more innovative.. or get some balls and be ruthless. If your opponent gets smarter than you are, your better off just bashing him in the fucking head. Pardon my french.
They are still using the same tricks, social engineering, email spam for propagation and fast flux for resiliency.
One of the awesome things its doing is crafting custom socially engineered LOCALIZED email spam based on a disaster theme and using GEOIP to localize it to the victims community. So for example if you live in SanFrancisco it would say something like a Terrorist attack on the Golden Gate Bridge, or an Earth Quake. Anything to lure the suckers in…
Here is alook at the network structure.
Thats a whole lotta pwnage boys and girls. Keep your data close…. Here is the geographic distribution
Here are some good links to track Waldec Domains.
The geographic distribution of data looks to me like viruses under an electron microscope.