Threat Research

Waledac: An Evolving Botnet

By Derek Manky | September 30, 2009

The design of botnets has evolved considerably over the past several years, with the likes of Slapper and other high profile worms (Storm) moving to peer to peer. In addition to the introduction and malicious use of decentralized networks such as peer to peer and other innovations like fast flux, protocol design has equally evolved. Primitive protocols for command and control would simply use open standards such as IRC, commands sent across in plain text like any other IRC client would. However, cyber criminals nowadays place great effort into cloaking not only their binaries (through the aggressive use of packers), but their communication to evade detection. To achieve this, commands issued between a zombie and its bot herder are becoming obfuscated - encrypted and encoded. Standard ports may be used (IRC, HTTP), but the underlying data is certainly not standard. Waledac is a prime example of this evolution - an emerging botnet that implements several sophisticated techniques that has allowed it to survive in the wild, sending out spam emails on request while downloading new malware. Research by Fortinet's Kyle Yang shows analysis of the communication framework used by Waledac, available here for reading on our FortiGuard Center. This is a good indicator of what we can expect moving forward in the arms race against cyber crime.

Join the Discussion