Malware authors don't learn, and that's good!

Abstract

The Waledac malware first appeared in November 2008, shortly after the Storm botnet became inactive. This malware is currently quite prominent and active. Its main propagation mechanism is via social engineering schemes which entice or trick users into downloading and executing the malware binaries. The Waledac malware differs significantly from the Storm malware. For example, unlike Storm, Waledac utilises strong cryptographic algorithms, such as AES and RSA with 128 and 1024-bit keys, respectively. There are however a number of design and implementation errors and weaknesses in the malware which makes it relatively easy to intercept, analyse and modify and even to replay Waledac's communication traffic. Interestingly, some of these design and implementation errors and weaknesses were also present in the Storm malware. In this paper, we present the results of our analysis on Waledac. To facilitate our analysis, we captured several versions of the malware binaries and reverse engineered them. We also executed the binaries in secure environments and observed their communication traffic. Our analysis provides valuable insights into the inner working of Waledac malware and the botnet it constitutes. In addition to giving details of the mode of operation of Waledac, we highlight some of the weakness of Waledac, outline some of the differences and similarities betweenWaledac and Storm, and suggest means by which Waledac botnet can be infiltrated and disrupted.