madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

500,000 stolen email passwords discovered in Waledac's cache

By | February 2, 2011, 4:38am PST

Summary: Researchers peek inside the Waledac botnet to find 489,528 stolen email passwords, next to another cache of 123,920 stolen FTP passwords. Time to change your passwords?

Closely monitoring the post-take down activities of the Waledac botnet, security researchers took a peek inside the botnet’s cache of stolen accounting data, and found half a million stolen email passwords, next to hundreds of thousands of stolen FTP passwords.

More info:

“More specifically, they have 123,920 login credentials to FTP servers at their disposal. This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals.

We also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns.”

Abuse scenarios

  • Stolen email accounts can be used for email impersonation attacks abusing the trust chain between the owner and a countless number of services and contacts related to him. Once the trust chain has been abused, the malicious attackers can also easily embed the accounting data into their spam platforms, in an attempt to take advantage of the DomainKeys ecosystem and increase the probability of reaching the user’s Inbox.
  • The stolen FTP accounts are usually embedded in efficiency-driven blackhat SEO (black hat search engine optimization) tools, and managed spam/exploits-serving services, allowing the malicious attackers to easily tailor their campaigns, be it pharmaceutical scams, pure blackhat SEO campaigns with real-time syndication of trending topics across the Web, and, of course, serving client-side exploits through legitimate web sites.

See also:

This is perhaps the perfect moment to change your passwords — in a perfect world best practices are in place — from a malware-free host.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Password, E-mail, Online Communications, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Talkback Most Recent of 21 Talkback(s)

  • Sounds familiar
    So it's a trojan that steals the information that was intended for your email provider and sends it to a scammer for their own use.

    What was it, some sort of toolbar that watches our surfing and reports back to some evil chair throwing baddie?
    ZDNet Gravatar
    guihombre
    2nd Feb 2011
  • Unbelievable
    I can't beleive there is only one post for this important subject, if it was about that nitwit Snooky or some stupid housewifes on tv subject there would be at least 3000 posts, just goes to show you what we Americans are made of today, damn right embarassing.
    ZDNet Gravatar
    FredOneSaid
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    @FredOneSaid

    Nitwit is being polite!!
    FINALLY SOMEONE WITH A BRAIN that share my same OPINIONS!!!

    This is what is called the DUMBING DOWN of American's...
    Look at what our media covers (all forms of included)??
    ZDNet Gravatar
    jasonemmg
    3rd Feb 2011
  • Anyone have the IP Address for Fox News?
    @jasonemmg Amazin', isn't it? I've searched articles with over 250 posts for mention of security and/or virus and found nothing.

    All that you find is comments about new gadgets and features.
    ZDNet Gravatar
    Joe.Smetona
    4th Feb 2011
  • Good to have you back, D!
    ZDNet Gravatar
    SonofaSailor
    2nd Feb 2011
  • Security and being pro-active are the keys IMO.
    The numbers might be right, but very high percentages of those lists are probably junk information and certainly a bunch of honeypots. Better information would be a look-see at how many of the listed addresses and passwords are current and still in use, and how far back in the calendar that data collection goes.
    Personally I only have five highly important URLs/Addresses I use and those are all under security and, on my own machine, encrypted on disk and during transmission. Certs for the encryption are kept digitally on a machine with no 'net access, and are well protected to date. Even if the data were sniffed, all it would get is 256 bit encryption.
    Other accounts, well, they're welcome to them if they want them; there's nothing needing security on them and absolutely no personal information of any kind.
    I don't claim to be 100% protected; I don't think that's possible, but at the same time it's over three years now since I've seen anything more serious than tracking cookies, which are deleted automatically after each session.
    Changing passwords of course makes sense whether there is a known exploit going on or not; it's easy and takes almost no time, after all. I do keep a list of "minor" passwords & usernames on disk, encrypted again, because of the sheer volume of PW's & Usernames needed.
    ZDNet Gravatar
    twaynesdomain
    2nd Feb 2011
  • Look at mister smug
    @twaynesdomain Look.. not to be condesending ... but really... smug much? And by chance do have a logon to LifeHacker.Com ??

    They got hacked, their database of passwords stolen, so it doesnt matter how much security *you* have on *your* machine, its a numbers and time game. How fast can they crack a security code, how long before some Uber site *YOU* use gets cracked and data stolen ....

    At the rest of the world.. I say ... this is another reason why ISP's blocking port 25 (standard SMTP) is worthless.

    I've had several spams in just the past week that came from people in Hotmail ... and in tracing the headers the spammers used those people's hotmail username & password to login and automate their spam from unnormal places.

    And that's where the real answer lay .... the respective ISP or mail service provider needs to start tracking where users log-in from. If Jane Doe normally logs on from hoboken new jersey off of Comcast Cable ... then suddenly she's logging in from some two bit dive in indo-china, then maybe there's reason to suspect she's been hacked, and when she starts sending 10 times the email in one minute than normal, even more suspicious ... there should be checks and controls on this kind of thing..

    Sure it puts the burdon on proving yourself.. but how hard is it really to track *your* login 5 days a week from home, work, and that coffee shop you frequent down the block?

    Credit Card Companies have been doing this for a while.. even called me on my cell last year when I was in DC and bought 4 coffee's for me and some friends going to the Air & Space Museum ... "Mr T? Are you aware of a charge in DC..." I only live 60 miles from DC in Virginia ... but it was enough to peak their curiosity and call me.

    ISP's could be MUCH MORE proactive in that regard ... but it takes cooperation and the desire to really change things, rather than treat internet users as commodity traded fair, where serving them as cheaply as possible is the mantra.
    ZDNet Gravatar
    TG2
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    @TG2

    Blocking port 25 is still very useful to those of us running mail servers.

    Without port 25 blocking we would get a lot more traffic from infected PCs.

    Currently it is necessary to block smtp traffic from dynamic IP addresses as they are only ever infected PCs. If their ISPs blocked port 25 then that problem would go away.

    I am seeing a lot of SSH dictionary attacks lately as well - used to be next to none - a few weeks ago I saw this sort of attack start in a big way and it hasn't stopped yet.
    ZDNet Gravatar
    richardw66
    2nd Feb 2011
  • how does one find out??
    Is there some way to find out if any of your own accounts are among the list?
    ZDNet Gravatar
    catseverywhere@...
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    @catseverywhere@... assume its there... change your passwords
    ZDNet Gravatar
    jroger@...
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    This **** is so tight...It's that 31337 h4x0r ST33z0 you see in movies! That dude had so much aXX!! He probably didn't even know what to do with it lol...He just wanted to plug his new r00ts in to his net to help his baby grow even bigger probably! And then spend most any free time trying to design and develop a control protocol and update delivery package that would have no problems scaling ! Did he actually have another system taking advantage of all the free webspace and unique hosts?? Or was he doing any malicious localized attacks upon his flock of r00t3d b0x3nz like searching for a "Passwords" folder in email, trying to use a browser, sniff some data stream or post keyloggers? I mean that's the kind of stuff people are afraid happening I think. Twas the only stuff I could ever think to do waaaay back when I used to try and social engineer a copy of B.O. on to their systems lol...All this other spam type stuff I must think brings in lots of money to make them fight so hard against the spam filters to push such lame messages ya know?
    ZDNet Gravatar
    GBleezy
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    It is easy to say to change your passwords. But I have accounts on well over one hundred systems. It still would be good to know whether or not one of my accounts is in the list, and if so, which one.
    ZDNet Gravatar
    sorgfelt
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    @sorgfelt if you could see this, so could anyone else.

    Best just to change your passwords, and use a secure manager. Maybe a manager is able to help with a mass update -- or could be convinced about such a feature, using random generated passwords, of course.
    ZDNet Gravatar
    Narr vi
    2nd Feb 2011
  • RE: 500,000 stolen email passwords discovered in Waledac's cache
    Dancho, glad to see you back. Be well, and we'll appreciate what you do.

    Great to see your own security blog with the details which help understanding. I think having the two outlets which work together is a good way to work this communication.

    Best,
    narr vi
    ZDNet Gravatar
    Narr vi
    2nd Feb 2011
  • Raise the price and/or authentication for the best service
    (1) If an e-mail account cost even 10 cents to register, no one could sell 10,000 accounts so cheap. Paying customers (pay a token "retainer" fee) get the "high" service; others get the "low" service (mails go out through the "low" server (the one likely to be blacklisted occasionally), OR have their IP address added to e-mails, OR both). [Naturally, such a provision would up the incentive for hijacking real accounts.]
    -or-
    (2) Users who have validated a phone number avoid the "low" service. [invites phone-line abuse.]
    ZDNet Gravatar
    dv5678
    2nd Feb 2011
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources