sudosecure.net

It looks like Microsoft’s tactics for taking down the Waledac Botnet have been extremely successful and even rendered my Waledac Tracker pretty much dead in the water, which is a good thing.  With that there are now thousands of Waledac infected Zombie computers out there still serving up the last binary payload they received before the take down went into effect.  To pseudo track these zombies I have turned my Waledac Binary scraping scripts back up.  If the botmaster’s are unsuccessful at regaining control of there botnet the MD5 sum calculation I perform for the binary payload I grab from these zombie’s should never change.  Right now it is: 8a542087ff572182bb25c36e88ce9de2.  If the botmaster’s somehow figure out a way to regain control of the Waledac Botnet I am sure one of the first tasks they will perform is a binary payload update, so this should be a fairly decent method for monitoring the zombies.  Now since my binary scrapping scripts are pretty dumb/lame a corrupted download could cause an MD5 sum calculation to change from time to time, but the overall trend should easily allow us to identify these corrupted binary downloads.   An example of this would be the download I grabbed at “2010-02-27 04:26:11″ with the following Md5: d31c54578951c4ff3114f008256e1a97.  It is easy to spot in the following snapshot of this morning’s table display shown here:

I would also assume that spam is probably still being pushed out of the zombies as well, but I haven’t really done any investigations into this, so I can’t say for sure.  From what I have gathered from other security folks is that the global spam trackers haven’t really seen an impact yet.  I guess only time will tell what the next step is for the Waledac authors and how they plan to deal with this beheading.