Waledac Botnet - Deployment and Communication Analysis

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Waledac Botnet - Deployment and Communication Analysis
Waledac flow com.png
Botnet Waledac
Malware Waledac
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2009 /
Editor/Conference Fortinet
Link http://www.fortiguard.com/analysis/waledacanalysis.html Fortinet Article (Fortinet Article Archive copy)
Author Kyle Yang, Derek Manky


Historically, Botnets have used IRC (Internet Relay Chat) for control. This has a critical drawback, which is its server/client architecture. We could find the server/RP (Rendezvous Point) easily since it’s really hard to hide them based on their server/client model. As a result of this architecture, the entire Botnet will be stopped if we take down the server/RP. In recent years, Botnets have moved to use P2P technology. One of the most remarkable examples is the Storm Botnet, which was prevalent in 2007. At the time, it was the world's most active and infamous Botnet, with a sophisticated C&C channel which created a high impact on spam sent worldwide. Waledac enhanced its predecessor by abandoning the server/client model, moving forward to use P2P to control its bots. The P2P architecture performs as a protector/shield of the server/RP in an effort to hide them from being found. This also allows the “controller” to control the Bots completely decentralized. Waledac's main purpose is to send spam, usually by taking advantage of many real-world events - social engineering that tricks users into downloading copies of itself or other malicious executables. Notable Waledac spam campaigns include Valentine's day, Obama presidency, The "Couponizer", 4th of July, and Bomb Scares.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2009BFR821,
   editor = {Fortinet},
   author = {Kyle Yang, Derek Manky},
   title = {Waledac Botnet - Deployment and Communication Analysis},
   date = {23},
   month = Feb,
   year = {2009},
   howpublished = {\url{http://www.fortiguard.com/analysis/waledacanalysis.html Fortinet Article}},