500,000 stolen email passwords discovered in Waledac's cache

500,000 stolen email passwords discovered in Waledac's cache

Summary: Researchers peek inside the Waledac botnet to find 489,528 stolen email passwords, next to another cache of 123,920 stolen FTP passwords. Time to change your passwords?

SHARE:
21

Closely monitoring the post-take down activities of the Waledac botnet, security researchers took a peek inside the botnet's cache of stolen accounting data, and found half a million stolen email passwords, next to hundreds of thousands of stolen FTP passwords.

More info:

"More specifically, they have 123,920 login credentials to FTP servers at their disposal. This number is significant, considering the Waledac controllers use an automated program to login to these servers and patch (or upload) specific files to redirect users to sites that serve malware or promote cheap pharmaceuticals.

We also discovered 489,528 credentials for POP3 email accounts. These credentials are known to be used for “high-quality” spam campaigns."

Abuse scenarios

  • Stolen email accounts can be used for email impersonation attacks abusing the trust chain between the owner and a countless number of services and contacts related to him. Once the trust chain has been abused, the malicious attackers can also easily embed the accounting data into their spam platforms, in an attempt to take advantage of the DomainKeys ecosystem and increase the probability of reaching the user's Inbox.
  • The stolen FTP accounts are usually embedded in efficiency-driven blackhat SEO (black hat search engine optimization) tools, and managed spam/exploits-serving services, allowing the malicious attackers to easily tailor their campaigns, be it pharmaceutical scams, pure blackhat SEO campaigns with real-time syndication of trending topics across the Web, and, of course, serving client-side exploits through legitimate web sites.

See also:

This is perhaps the perfect moment to change your passwords -- in a perfect world best practices are in place -- from a malware-free host.

Topics: Security, Collaboration

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Sounds familiar

    So it's a trojan that steals the information that was intended for your email provider and sends it to a scammer for their own use.

    What was it, some sort of toolbar that watches our surfing and reports back to some evil chair throwing baddie?
    guihombre
  • Unbelievable

    I can't beleive there is only one post for this important subject, if it was about that nitwit Snooky or some stupid housewifes on tv subject there would be at least 3000 posts, just goes to show you what we Americans are made of today, damn right embarassing.
    FredOneSaid
    • RE: 500,000 stolen email passwords discovered in Waledac's cache

      @FredOneSaid

      Nitwit is being polite!!
      FINALLY SOMEONE WITH A BRAIN that share my same OPINIONS!!!

      This is what is called the DUMBING DOWN of American's...
      Look at what our media covers (all forms of included)??
      jasonemmg
      • Anyone have the IP Address for Fox News? :)

        @jasonemmg Amazin', isn't it? I've searched articles with over 250 posts for mention of security and/or virus and found nothing.

        All that you find is comments about new gadgets and features.
        Joe.Smetona
  • Good to have you back, D!

    [i]
    SonofaSailor
  • Security and being pro-active are the keys IMO.

    The numbers might be right, but very high percentages of those lists are probably junk information and certainly a bunch of honeypots. Better information would be a look-see at how many of the listed addresses and passwords are current and still in use, and how far back in the calendar that data collection goes.
    Personally I only have five highly important URLs/Addresses I use and those are all under security and, on my own machine, encrypted on disk and during transmission. Certs for the encryption are kept digitally on a machine with no 'net access, and are well protected to date. Even if the data were sniffed, all it would get is 256 bit encryption.
    Other accounts, well, they're welcome to them if they want them; there's nothing needing security on them and absolutely no personal information of any kind.
    I don't claim to be 100% protected; I don't think that's possible, but at the same time it's over three years now since I've seen anything more serious than tracking cookies, which are deleted automatically after each session.
    Changing passwords of course makes sense whether there is a known exploit going on or not; it's easy and takes almost no time, after all. I do keep a list of "minor" passwords & usernames on disk, encrypted again, because of the sheer volume of PW's & Usernames needed.
    twaynesdomain-22354355019875063839220739305988
    • Look at mister smug

      @twaynesdomain Look.. not to be condesending ... but really... smug much? And by chance do have a logon to LifeHacker.Com ??

      They got hacked, their database of passwords stolen, so it doesnt matter how much security *you* have on *your* machine, its a numbers and time game. How fast can they crack a security code, how long before some Uber site *YOU* use gets cracked and data stolen ....

      At the rest of the world.. I say ... this is another reason why ISP's blocking port 25 (standard SMTP) is worthless.

      I've had several spams in just the past week that came from people in Hotmail ... and in tracing the headers the spammers used those people's hotmail username & password to login and automate their spam from unnormal places.

      And that's where the real answer lay .... the respective ISP or mail service provider needs to start tracking where users log-in from. If Jane Doe normally logs on from hoboken new jersey off of Comcast Cable ... then suddenly she's logging in from some two bit dive in indo-china, then maybe there's reason to suspect she's been hacked, and when she starts sending 10 times the email in one minute than normal, even more suspicious ... there should be checks and controls on this kind of thing..

      Sure it puts the burdon on proving yourself.. but how hard is it really to track *your* login 5 days a week from home, work, and that coffee shop you frequent down the block?

      Credit Card Companies have been doing this for a while.. even called me on my cell last year when I was in DC and bought 4 coffee's for me and some friends going to the Air & Space Museum ... "Mr T? Are you aware of a charge in DC..." I only live 60 miles from DC in Virginia ... but it was enough to peak their curiosity and call me.

      ISP's could be MUCH MORE proactive in that regard ... but it takes cooperation and the desire to really change things, rather than treat internet users as commodity traded fair, where serving them as cheaply as possible is the mantra.
      TG2
      • RE: 500,000 stolen email passwords discovered in Waledac's cache

        @TG2

        Blocking port 25 is still very useful to those of us running mail servers.

        Without port 25 blocking we would get a lot more traffic from infected PCs.

        Currently it is necessary to block smtp traffic from dynamic IP addresses as they are only ever infected PCs. If their ISPs blocked port 25 then that problem would go away.

        I am seeing a lot of SSH dictionary attacks lately as well - used to be next to none - a few weeks ago I saw this sort of attack start in a big way and it hasn't stopped yet.
        richardw66
  • how does one find out??

    Is there some way to find out if any of your own accounts are among the list?
    catseverywhere@...
    • RE: 500,000 stolen email passwords discovered in Waledac's cache

      @catseverywhere@... assume its there... change your passwords
      jroger@...
  • RE: 500,000 stolen email passwords discovered in Waledac's cache

    This shit is so tight...It's that 31337 h4x0r ST33z0 you see in movies! That dude had so much aXX!! He probably didn't even know what to do with it lol...He just wanted to plug his new r00ts in to his net to help his baby grow even bigger probably! And then spend most any free time trying to design and develop a control protocol and update delivery package that would have no problems scaling ! Did he actually have another system taking advantage of all the free webspace and unique hosts?? Or was he doing any malicious localized attacks upon his flock of r00t3d b0x3nz like searching for a "Passwords" folder in email, trying to use a browser, sniff some data stream or post keyloggers? I mean that's the kind of stuff people are afraid happening I think. Twas the only stuff I could ever think to do waaaay back when I used to try and social engineer a copy of B.O. on to their systems lol...All this other spam type stuff I must think brings in lots of money to make them fight so hard against the spam filters to push such lame messages ya know?
    GBleezy
  • RE: 500,000 stolen email passwords discovered in Waledac's cache

    It is easy to say to change your passwords. But I have accounts on well over one hundred systems. It still would be good to know whether or not one of my accounts is in the list, and if so, which one.
    sorgfelt
    • RE: 500,000 stolen email passwords discovered in Waledac's cache

      @sorgfelt if you could see this, so could anyone else.

      Best just to change your passwords, and use a secure manager. Maybe a manager is able to help with a mass update -- or could be convinced about such a feature, using random generated passwords, of course.
      Narr vi
  • RE: 500,000 stolen email passwords discovered in Waledac's cache

    Dancho, glad to see you back. Be well, and we'll appreciate what you do.

    Great to see your own security blog with the details which help understanding. I think having the two outlets which work together is a good way to work this communication.

    Best,
    narr vi
    Narr vi
  • Raise the price and/or authentication for the best service

    (1) If an e-mail account cost even 10 cents to register, no one could sell 10,000 accounts so cheap. Paying customers (pay a token "retainer" fee) get the "high" service; others get the "low" service (mails go out through the "low" server (the one likely to be blacklisted occasionally), OR have their IP address added to e-mails, OR both). [Naturally, such a provision would up the incentive for hijacking real accounts.]
    -or-
    (2) Users who have validated a phone number avoid the "low" service. [invites phone-line abuse.]
    dv5678
  • RE: 500,000 stolen email passwords discovered in Waledac's cache

    They could have stolen all those passwords from the new flaw found in all Android browsers using a malicious web site. These criminals can upload almost virtually everything from your Android phone to examine at leisure in some foreign country.<br><br><br><br>Everyone knows about that by now and should have taken steps to protect themselves and their identity by not using the built in Android web browser.<br><br>The second step should have been to kick Google programmers and the Open Source community activists in the nuts for allowing that Android flaw to still exist and not fixing it.<br><br>Waledac probably sat there laughing , "So many Androids, so little time!"<br>
    vic.healey@...
    • &lt;font color=red&gt;Microsoft Problem.&lt;/font&gt;

      @vic.healey@... <br><br>"Before its eventual take down the Waledac botnet consisted of an estimated 70,000-90,000 [2] computers infected with the "Waledac" computer worm."<br><br>"The botnet itself was capable of sending about 1.5 billion spam messages a day, or about 1% of the total global spam volume.[3][4"]<br><br>"On February 25, 2010, Microsoft won a court order which resulted in the temporal cut-off of 277 domain names which were being used as command and control servers for the botnet, effectively crippling a large part of the botnet.[5] However, besides operating through command and control servers the Waledac worm is also capable of operating through peer-to-peer communication between the various botnet nodes, which means that the extent of the damage is difficult to measure.[6]"<br><br>"In early September 2010, Microsoft was granted ownership of the 276 domains used by Waledac to broadcast spam email.[7]"<br><br>( <a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow"><a href="http://en.wikipedia.org/wiki/Waledac" target="_blank" rel="nofollow">http://en.wikipedia.org/wiki/Waledac</a></a></a></a></a></a></a></a></a></a> )<br><br><B><font size=3><font color=brown>Nice Try. Android is based on Linux, not Microsoft.</font></B></font>
      Joe.Smetona
  • RE: 500,000 stolen email passwords discovered in Waledac's cache

    Any email provider that does not store only a hash (say, SHA256, MD5, et al) of the passwords, then just compare the stored hash to the hash of the entered password during logon, deserves a nice fat lawsuit if they then allow the stored passwords to be compromised.
    Darr247
    • RE: 500,000 stolen email passwords discovered in Waledac's cache

      @Darr247

      And if a botnet uses a dictionary attack and sends the login using MD5 protocols it will either succeed or fail.

      If it succeeds then they have your password.

      MD5 does not stop dictionary attacks.

      Botnets use dictionary attacks.
      richardw66
  • RE: 500,000 stolen email passwords discovered in Waledac's cache

    I wonder if this is what was sending the email that nailed a bunch of people from my workplace. Despite all security measures, the weakest link in the fence is sitting right behind the keyboard.
    VRSpock