Walking Waledac
by Jose NazarioFirst, it looks like Waledac is the Storm Worm infrastructure and group but with new malcode. I now fully support this conclusion and have for several days based on evidence from reliable sources.
OK, now that that is out in the open, one of the things we in the research community noticed about the Storm Worm network was that nodes acted as both an HTTP proxy and an open recursing DNS server. This is useful if we want to get geographically dispersed queries because the network itself is global in nature. So, I wrote a small program dubbed “nswalk” that queries the Storm nodes for their own domain names. What you do is seed the tool with a domain name like “livechristmascard.com” and an IP address of a name server and voila, it gets to work. It queries the DNS server and gets an IP back for the name, then goes to that new IP to ask it the same question again. Lather, rinse, repeat … Since they’re open recursive resolvers and, at least at present, the names have a 0 second TTL, every time you query the server you’ll get a fresh, non-cached answer. And because you’re talking to new servers you can minimize the geographic biases the system may introduce. Keep track of when you got the answers and you have a very interesting data set.
So, a friend of mine, C, ran this for many hours over the domain names and found some interesting results. So far, two data sets pop out almost immediately. The first is unique IPs for the network by hour in his run. Data was collected over the 11th and 12th of January using the “nswalk” tools I shared with him. There’s a couple of strong biases in there for a few hours that may indicate a strong geographic bias (e.g. Europe, Asia or North America) but I haven’t dug into the data to see if that’s the case.
The second data set is the number of unique IPs for this measurement (~30 hours worth) by domain name. Except for a few exceptions they’re all roughly in the same ball park, just like we saw with the previous batch of Storm Worm fast flux domain names.
The tool gathered 1336 total unique IPs overall in its run. Again, consistent with active DNS mining measurements of the visible parts of the Storm Worm network.
Many thanks to C for running this experiment. We’re still digging into the data to see what else is hiding in there.
Related research:
- Some Waledac Stats from the sudosecure blog
Edited to fix my typo-ing of the name of the malcode.
Popularity: 1% [?]
[...] each other. The changes made to WORM_DOWNAD.E. attempts to download another encrypted file from a well known domain of the Waledac botnet, which on the other hand is also known to have been sharing infrastructure with the original Storm [...]