The Son of Storm.

This is essentially a rewrite of the Storm worm with a much much stronger command and control channel protection scheme using  as written by the awesome .  Here is an of articles trackings its growth called the Waldec Tracker.

shadowserver_transp_2-500x167

With robust encryption starting to become the norm, IE Conficker is now doing Robust Encryption it will be computationally infeasible to crack and observe the Command and Control traffic as well as conduct integrity attacks and command insertion into these botnets. 

That means we need to be more innovative.. or get some balls and be ruthless.  If your opponent gets smarter than you are, your better off just bashing him in the fucking head.  Pardon my french.

waldec6

They are still using the same tricks, social engineering, email spam for propagation and fast flux for resiliency.

One of the awesome things its doing is crafting custom socially engineered LOCALIZED email spam based on a disaster theme and using GEOIP to localize it to the victims community.  So for example if you live in SanFrancisco it would say something like a Terrorist attack on the Golden Gate Bridge, or an Earth Quake.  Anything to lure the suckers in…

waldec1

Here is alook at the network structure.

waldec21

Thats a whole lotta pwnage boys and girls.  Keep your data close…. Here is the geographic distribution

waldec4

Here are some good links to track .

So with everyone losing and getting their laptops stolen, every organization under the sun is evaluating and looking at Data At Rest encryption typically AES if your smart, using Data Loss Prevention products. Basically it encrypts the entire hard drive, not just volumes, folders, and files like other products. Well basically rip the encryption key right out of physical memory and then mount your hard drive and unencrypt the data so it can all be stolen. Wonderful. Of course these products should use multi-factor biometric and smart card based authentication at the preboot level which could conceivably prevent this, MAYBE. Im investigating….. McAfee Safeboot here I come! If you want to read up more on it and try out the code check out the

 

Follow

Get every new post delivered to your Inbox.