Last-minute paper reserve: The Waledac botnet: understanding it and breaking it

Pierre-Marc Bureau ESET
Joan Calvet Ecole Polytechnique de Montreal

The Waledac malware family clearly is Storm Worm 2.0: The code for both families is completely different but their functionalities and modus operandi are exactly the same. Waledac, just like Storm, uses a layered peer-to-peer network to communicate, propagates through malicious links, and is used to send huge amounts of spam. A bit like Web 2.0, Waledac introduces new vulnerabilities that were avoided by its predecessor.

In this presentation, we give an in-depth description of the Waledac malware family and its evolution. We explain the behaviour of its custom protection layer, its information-stealing capabilities and its business model. We also discuss the inner workings of its peer-to-peer network, how new peers connect to the network and how they send information back to the operators. Finally, we expose weaknesses that could be exploited to disrupt the botnet's activity and how Waledac's operators are working toward fixing them.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘I attend a variety of security conferences and events each year and VB continues to be my favourite. Great content, great networking, great organisation.’