A little more Waledac Data
Posted by jeremy on April 17th, 2009
As many of you already probably know the Waledac Botnet Social Engineering theme changed to a “SMS Spy on your Partner” theme at approximately 0500 CST or 1000 UTC/GMT on April 15th. This was first brought to my attention by Bob Burls from Cranfield University in the UK, and he was also kind enough to share with me this screen shot of the new campaign.
Thanks Bob for the screen shot and the information!
Interesting enough this theme is very similar to the “Couponizer Theme” we saw in late February, as it is a spoof from a legitimate company’s web site. The image and theme are based off the SPY-SMS website, which appears to offer mobile phone spy software.
I pulled a few interesting statistics from my database and thought I would share them with everyone. Over the last 30 days the Waledac Botnet infections appear to be very steady or normalized, as there are very little differences in the number of new infections found by my Waledac Tracker scripts depicted here:
New Infections By IP Count Last 30 Days
| IPs | Date |
|---|---|
| 74 | 2009-04-17 |
| 88 | 2009-04-16 |
| 226 | 2009-04-15 |
| 94 | 2009-04-14 |
| 99 | 2009-04-13 |
| 154 | 2009-04-12 |
| 151 | 2009-04-11 |
| 179 | 2009-04-10 |
| 220 | 2009-04-09 |
| 201 | 2009-04-08 |
| 337 | 2009-04-07 |
| 359 | 2009-04-06 |
| 374 | 2009-04-05 |
| 530 | 2009-04-04 |
| 326 | 2009-04-03 |
| 258 | 2009-04-02 |
| 221 | 2009-04-01 |
| 200 | 2009-03-31 |
| 252 | 2009-03-30 |
| 273 | 2009-03-29 |
| 222 | 2009-03-28 |
| 247 | 2009-03-27 |
| 235 | 2009-03-26 |
| 182 | 2009-03-25 |
| 236 | 2009-03-24 |
| 303 | 2009-03-23 |
| 317 | 2009-03-22 |
| 272 | 2009-03-21 |
| 301 | 2009-03-20 |
| 259 | 2009-03-19 |
In comparison here is a table of the most active days by new IP counts:
Most Active Days By New IP Counts
| New IPs | Date |
|---|---|
| 1326 | 2009-02-07 |
| 1297 | 2009-02-08 |
| 1236 | 2009-02-01 |
| 1138 | 2009-01-22 |
| 1080 | 2009-01-24 |
| 1075 | 2009-01-23 |
| 1047 | 2009-02-09 |
| 1044 | 2009-02-06 |
| 974 | 2009-02-02 |
| 954 | 2009-02-04 |
Another interesting statistic I pulled was the number of unique binary names seen every day for the last 15 days:
Unique Binary Name Counts for Last 15 Days
| Date | Unique Names |
|---|---|
| 2009-04-17 | 9 |
| 2009-04-16 | 9 |
| 2009-04-15 | 10 |
| 2009-04-14 | 6 |
| 2009-04-13 | 6 |
| 2009-04-12 | 6 |
| 2009-04-11 | 6 |
| 2009-04-10 | 6 |
| 2009-04-09 | 6 |
| 2009-04-08 | 6 |
| 2009-04-07 | 6 |
| 2009-04-06 | 6 |
| 2009-04-05 | 6 |
| 2009-04-04 | 6 |
| 2009-04-03 | 6 |
| 2009-04-02 | 6 |
As you can see these stats look fairly normalized or evenly distributed. As a comparison here is the top five dates with counts for the number of unique binary names seen in one day:
Top 5 Dates By Unique Binary Name Counts
| Date | Unique Names |
|---|---|
| 2009-02-22 | 27 |
| 2009-02-17 | 26 |
| 2009-02-19 | 25 |
| 2009-02-13 | 23 |
| 2009-02-15 | 23 |
As you can see the “Couponizer Theme” campaign during the end of February consisted of a larger variation of binary names, when compared to the last two campaigns.
The last statistic I am going to post is the number of IPs that were last seen by my Waledac Tracking scripts in the month of April.
Number of IPs By Last Seen Date Counts for April
| IPs | Date |
|---|---|
| 567 | 2009-04-17 |
| 72 | 2009-04-16 |
| 202 | 2009-04-15 |
| 143 | 2009-04-14 |
| 162 | 2009-04-13 |
| 120 | 2009-04-12 |
| 103 | 2009-04-11 |
| 171 | 2009-04-10 |
| 221 | 2009-04-09 |
| 149 | 2009-04-08 |
| 465 | 2009-04-07 |
| 453 | 2009-04-06 |
| 437 | 2009-04-05 |
| 500 | 2009-04-04 |
| 552 | 2009-04-03 |
| 281 | 2009-04-02 |
| 244 | 2009-04-01 |
For a comparison here are the most active last seen days in my database.
Most Active Last Seen Dates By IP Count
| IPs | Date |
|---|---|
| 1408 | 2009-02-08 |
| 1177 | 2009-02-07 |
| 1161 | 2009-01-22 |
| 1099 | 2009-01-23 |
| 1058 | 2009-02-04 |
Looking at this last table I would assume that during the end of January and beginning of February the Waledac Binary was well detected by Antivirus Companies, as it looks like a number of systems were cleaned up during that time period. Now these statistics may or may not show the true depiction of the Waledac Bots, as I am crawling the Bots that have public IP addresses and not the Spamming Bots with NATed IP addresses.
April 27th, 2009 at 10:45 am
Now many Waledac pages redirect to pharmacy site
http://edetools.blogspot.com/2009/04/aggiornamento-waledac-27-aprile-09.html
Edgar