I had completely rewritten my Fast Flux tracking scripts a few weeks ago, and have finally found the time to write a new web interface for the statistics and data I am gathering with these new scripts.  There are some interesting statistics  in all this data being generated that contradicts some of my initial thoughts on the Waledac Trojan, such as which country I was seeing the most infections for.  I originally had thought the United States was leading the way, but today’s data snapshot shows China out in front, followed by the Republic of Korea, and then the United States.  Here is a nice little GChart showing the top 10 Countries by IP count generated by my new Waledac Tracking Web Interface to demonstrate this.

Obviously this data could change as more hosts are indexed, but I found it interesting none the less.

It appears that the non NATed Waledac Trojan infected nodes serve three main functions: Web Proxy, DNS, and Spam Template relays.  Since these non NATed nodes can serve as both a DNS server and a domain destination I thought it would be interesting to separate out the Name Server IP addresses from the normal domain IP addresses.  Basically what I did when I revamped the back end tracking scripts was separate the NS records from the A records, which provided a very different statistical distribution than I would have initially guessed.  I originally would have guessed that the Name Server IP addresses would have been a lot less statistically distributed than the Domain IP addresses in this Double Fast Flux network.

As you can see my guess was wrong and the distribution of Name Servers IPs is right in-line with the distribution of Domain IPs with China leading the way, The Republic of Korea following in second place, and then finally the United States in third place.  All of these Countries seem to show about the same number of NS records as they do A records.  It would appear based on these numbers that the Waledac Trojan authors distribute both NS record and A record changes/rotations evenly throughout their botnet distribution.

Now for a little more information about the web interface I wrote to summarize and share this data with the public.  The major design objective I strived to achieve was to allow anyone to view the overall statistics in summarized table formats, with the ability to drill down and/or search out targeted interesting views as they saw fit.  Almost every table being displayed in this web interface has the ability to be searched with a text input field and the drop down box at the top of every page.  There are no wild cards per say, but all search strings are matched in a loose manner.  Let me explain this with an example.  Lets say you own the following Class C IP space “221.226.85.0/24″ and wanted to see if my data set contained any of your nodes.  You can enter “221.226.85″ into the search field like this:

Click the “Submit Query” button and your results should look something like this:

This type of “loose” matching is not just for IP address ranges, and can be performed on any of the drop down fields for you convenience.  Another feature I tried to accommodate was the ability to drill down on data via clicking individual fields.  Any field that is underlined and in bold face type can be clicked on to drill down on that particular piece of data providing a more targeted view.  This can be handy for drilling down on Counties, Regions, Cities, and/or ASNs.

The last portion of the web interface I want to go over is the Menu at the top of every page, which looks like this:

Here is a little overview of what each section can provide you.

• Tracker Summary – This is the index page or summary view of the data in the database.  You will find GCharts, Most Seen Statistics, and Last Seen Statistics on this page.  Many of the fields allow for you to click through to drill down into the highlighted statistic quickly and easily.
• Binaries – Waledac Trojan Binary Data Statistics and Summaries
  • Harvested – Summary data of all the binaries retrieved default sorted by last seen date.
  • Activity – Summary data of binaries retrieved grouped by IP and sorted by number of binaries retrieved from a particular IP address.
  • Names – Summary data based on the binaries name and sorted by the last date seen.
  • Longevity – This data represents the current life span of an IP. This number is based on the number of days seen between an IP’s first seen date and it’s last seen date.
• Fast Flux IPs -Waledac Trojan A record Nodes Data Statistics and Summaries
  • Harvested – Summary data of all the IPs and their associated information specifics sorted by the last seen date.
  • Activity – Summary data of all the IPs and their associated information specifics sorted by the number of times seen.
  • Domains – Summary data of all the Domains and their associated statistical summary information sorted by last seen date.
  • Countries – Summary data of all the Countries and their associated statistical summary information sorted by number of times seen.
  • ASNs – Summary data of all the ASNs and their associated statistical summary information sorted by number of times seen.
  • Longevity – This data represents the current life span of an IP.  This number is based on the number of days seen between an IP’s first seen date and it’s last seen date.
• Name Server IPs – Waledac Trojan Name Server Nodes Data Statistics and Summaries
  • Harvested -Summary data of all the IPs and their associated information specifics sorted by the last seen date.
  • Activity – Summary data of all the IPs and their associated information specifics sorted by the number of times seen.
  • Domains – Summary data of all the Domains and their associated statistical summary information sorted by the last seen date.
  • Countries – Summary data of all the Countries and their associated statistical summary information sorted by number of times seen.
  • ASNs – Summary data of all the ASNs and their associated statistical summary information sorted by number of times seen.
  • Longevity – This data represents the current life span of an IP.  This number is based on the number of days seen between an IP’s first seen date and it’s last seen date.
  • Name Servers – Summary data of all the Name Servers and their associated statistical summary information sorted by the number of times seen.

That is a basic overview of what is available via the new Waledac Trojan Tracking Web Interface, and I am always open to suggestions if your not seeing a statistic that would be of some use to you.  I do have a few more modifications or updates that I would like to implement the next chance I get, but I figured that the interface was complete enough to go ahead and make it publicly available.  As always if you have any questions or comments feel free to leave them here or hit me up via email.

Disclaimer:

This data is collected by dumb scripts and may or may not be 100% accurate.  If you have any issues with the data feel free to contact me, and I may choose to fix the issue or may choose not to fix the issue, as it depends on whether or not I feel your request is valid and/or pertinent.  When using this data please understand that some IP ranges utilize things like DHCP, and could cause issues with the accuracy of the data contained with in this data set.  Just because an IP is listed here, does not with a 100% sure accuracy deem that it is infected with the Waledac Trojan.  I have attempted to make this data as accurate as possible, but like all things in life I am not perfect and don’t claim to be.   This data also does not represent the true size or complete Waledac botnet, as I can not reach out to NATed Spamming nodes.  This data is offered “as is” with no guarantees or warranties, expressed or implied, as to the accuracy, reliability or completeness of the furnished data.  I reserve all rights to the availability of this data and will block anyone that is attempting to automate the retrieval of this data.  If you would like an automated solution for retrieving this data contact me and we may be able to come up with a way to meet your needs.

I had a few spare minutes today and ran some quick queries on some of the data collected by my Waledac  Tracking Scripts.  The first set of queries I did were for the ASN information against the IP addresses that I actually retrieved Waledac Trojan Binaries from.  Here is a text file for the bulk queries I ran against the Team Cymru’s ASN whois database: asn_binary_ips. Here are some summary stats:

So it appears that most of the hosts I have retrieved Waledac Trojaned binaries from are located in the US.  I also have some scripts that crawl the Double Fast Flux network for NS records and A records since both of them change as the TTL expires.  The Waledac Botnet seems to follow the same tactics the Storm Worm did where the malicious web servers, dns servers, and spam bots all reside on the same compromised hosts.  These hosts use the Ngnix web server to proxy requests through compromised bots to the main command and control (C&C) servers to conceal their identities.  Unlike the Storm Botnet, the Waledac botnet does not appear to use the P2P network to exchange bot nodes, but instead it seems to exchange bot nodes through the HTTP protocol via encrypted channels.  I have not had a chance to dive deep into the Waledac Trojan’s binary, but it is definitely on my to do list.  With that being said here are some stats form my Waledac crawler scripts: ips_asn.

My crawler scripts are really just Fast Flux bruteforce scripts, so by no means do they represent the actual size of this botnet or it’s true geographical distribution.  With that being said it looks like the US is leading the way with infected bots.  For many of us the Waledac Trojan appears to be a nuisance that may be hard to shutdown, or combat with our traditional methods such as IP blocks, DNS Blackholing, Spam Filtering, and Proxies.  With that being said I would recommend user training and awareness, which is one of the hardest things to actually do.  We really need to get the average end user up to speed and educated on these types of malware.  I am not sure what the best approach to do this is, but the dissemination of information out to your end users would be a good start.  Preach to them that video codecs, ecards, and news articles do not require them to install executable’s to be viewed and if they are prompted to install these to contact the help desk or their system administrator immediately.  Trojans like Waledac and the old Storm Worm use these social engineering tactics very well, but they also from time to time contain exploit packs like Mpack to hit users with an array of exploits in a structured and very effective manner.  Although Mpack has been dead for a while, it is just an example and exploit packs like EL Fiesta are seen in the wild daily, so don’t let your guard down by thinking that if a user did not download the binary that they are not infected.  The best advice I can give right now is to visit the machine and do some quick forensic checks to verify the host is not infected.  Once I have time to really dive into this Trojan, I will post what I find to hopefully aid in identifying compromised hosts and maybe even some IDS signatures.

As always if you have any questions or comments feel free to hit me up.  Good luck with this new threat, as it seems to be a presistent trojan that may be here to stay for a while.

I received a request earlier today to start tracking the Waledac Trojan like I had the Storm Worm, and well since they both use the same tactics I figured why not.  I just finished modifying my Storm Binary Tracking scripts to monitor the Fast Flux network of Waledac and it’s web pages.  You can find the data from the binary tracking scripts here: Waledac Tracker.  I don’t know yet how much time or effort I will put into tracking this Trojan, but since I am publishing this data I will go through a quick summary of what the Waledac Trojan is.

The Waledac Trojan is delivered as a URL link inside spam messages.  The current web page looks like this:

The web page is really just one large GIF image “img.gif” that links to “postcard.exe”.  This ensures that any stray user clicks on the web page will prompt the user to download the “postcard.exe” binary, which is the Waledac Trojan.  There is also an IFRAME embedded in the web page that points to “hxxp://seocom.mobi/rotate/c.php?eb0h”, but when I went to retrieve this page I got a 403 error stating I didn’t have permission to access this page.  From other articles and blog posts I have read this is where the Waledac Trojan tries multiple exploits, but since I can’t access the page right now I can’t confirm this. One thing I did note that I haven’t seen posted yet is that although the Waledac Trojan web page is being served up by Nginx/0.63.4 the seocom.modi site is being served up on an Apache 1.3.41 server.  Here are some settings I found for the Apache server:

Apache/1.3.41 (Unix) PHP/4.4.9 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8b

The Shadowserver Foundation has a really good write up on this Trojan and if you haven’t read it yet here it is: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?. They also have a nice collection of current domain names being used to host the web pages, so if nothing else grab those domains and start implementing DNS Blackholing or add them to your proxy configurations to prevent your users from even visiting these sites.

So far I have seen 142 IPs with my tracking scripts:

4.244.69.144
12.168.205.170
24.33.233.54
24.57.83.138
24.64.95.238
24.85.240.20
24.139.69.37
24.192.176.75
24.224.175.80
65.73.167.53
65.75.124.106
67.49.6.243
67.61.207.176
67.64.156.119
67.150.246.57
67.169.11.92
67.173.196.140
67.213.96.198
68.32.31.173
68.50.173.54
68.50.231.91
68.173.97.117
68.204.235.220
69.24.123.167
69.47.115.180
69.76.136.225
69.247.164.171
70.114.195.33
70.140.184.127
70.200.169.81
70.218.30.49
70.218.195.166
71.9.79.35
71.63.142.94
71.83.92.224
71.106.8.84
71.129.153.200
71.197.172.125
71.202.65.70
72.29.253.14
72.45.18.151
72.136.24.242
72.137.38.157
72.240.184.75
74.77.138.209
76.28.115.147
76.64.70.42
76.70.96.73
76.91.235.206
76.93.233.117
76.118.24.140
76.170.178.95
76.190.203.104
76.193.34.126
77.79.38.18
77.96.251.230
81.220.178.33
82.177.226.171
82.199.195.102
83.21.60.214
83.84.116.137
83.84.130.209
83.97.242.136
83.223.183.38
84.52.145.241
84.66.64.201
85.12.224.206
85.86.39.123
85.114.37.72
85.130.4.5
85.221.176.110
85.222.37.208
86.6.143.109
86.8.75.241
86.122.250.76
87.68.170.173
87.206.73.25
87.207.85.117
88.134.165.249
88.180.152.39
88.199.249.4
89.45.55.175
89.45.129.21
89.74.138.247
89.74.209.189
89.76.212.192
89.77.140.176
89.78.142.100
89.78.146.247
89.103.246.108
89.132.97.13
89.138.8.245
89.151.26.188
89.229.78.254
89.253.10.124
92.232.169.168
92.238.151.224
97.81.205.168
97.104.61.143
98.28.108.254
98.200.169.254
99.18.144.23
99.54.141.194
99.141.124.78
99.147.191.25
99.152.125.180
99.195.196.98
99.236.230.185
99.238.95.109
99.243.247.72
99.247.215.190
99.254.51.22
99.255.24.131
118.221.104.156
121.208.2.46
128.174.141.174
128.226.92.84
128.226.183.142
129.109.150.81
129.115.98.48
130.13.54.113
131.107.0.72
134.74.16.124
137.110.124.139
149.125.248.85
156.34.95.177
173.45.193.254
193.95.195.68
196.45.201.101
200.55.77.109
200.84.125.24
200.127.209.84
201.1.207.189
201.231.16.222
204.116.246.48
208.96.18.58
208.98.218.245
211.74.120.88
212.198.239.213
216.16.66.37
217.70.52.180
221.214.134.26

I can’t say these are all bad or related to the Waledac Trojan, but can tell you that these were IP addresses found as A records in the Waledac Trojan Name Servers. The only IPs I ever claim to be 100% sure that they are/were associated with the badness are the one’s I actually grab a binary from, and those can now be found via the Waledac Tracker.

If you have any questions or comments feel free to email me anytime, and also let me go ahead wish you all a belated HAPPY NEW YEAR!