The new version of Waledac was spotted on February 2 and experts have been analyzing it ever since. They conclude that it’s still sending spam, but it can also steal passwords and authentication data, including credentials for FTP, POP3, SMTP.
Besides this, Waledac also steals .dat files for FTP and BitCoin and uploads them to the botnet.
By relying on their WildFire systems, which enable a firewall to capture unknown files and analyze them in a malware sandbox, Palo Alto Networks were able to identify how the new variant behaves.
Given the confusion that was created around the Kelihos botnet which was declared resurrected by Kaspersky, only to be put to sleep again by Microsoft, the company emphasizes the fact that this is not the old botnet, but a new variant.
Symantec also covered the emergence of the new botnet. The security solutions provider spotted it at doing what it accustomed us to: spamming.
An email that targeted only Russian users served a website called Rospress which promoted slanderous articles, but it was uncertain if the purpose was to smudge the upcoming Russian elections or merely to advertise the site.
“While it is not clear whether the intent of this Waledac spam campaign has been to promote the Rospres.com site or to smear the election campaign of any individual, it does question the exact motivation of the malware gang controlling the W32.Waledac.C variant,” Symantec experts said.