Recycled Botnets

Earlier in the year, Palo Alto Networks researchers used WildFire to track down a new variant of the Waledac/Kelihos botnet making the rounds through Europe. You can read the original post here. Since our initial analysis, this new botnet has continued to expand and evolve, and the team has continued to dig into the malware. In fact our most recent Threat Review covered this botnet in detail, which you can view here.

First and foremost, we have detected many variations of the botnet’s infecting file. To date, we have captured hundreds of files all with unique hash values, but with the identical behavior to the original Waledac/Kelihos sample. Keep in mind that all of these samples were captured on live enterprise networks protected by Palo Alto Networks firewalls, so there obviously many more variants out there in wild.

With some deeper analysis, we were able to uncover how the malware is able to change its signature, how it communicates and most importantly how to protect your networks from it. Of particular note, we verified that even though the malware signature changes, the command and control traffic remains the same. Since Palo Alto Networks generates signatures for both the infecting file as well as the command and control traffic, our customers can immediately block any traffic from the hundreds of Waledac variants we have observed. Furthermore we observed the malware sending HTTP traffic over dozens of arbitrary ports in order to establish communication channels to other peers.  Since Palo Alto Networks provides the option to limit traffic to the default application or service for a given port, users can quickly and easily block botnet communications that use this technique.

Be sure to check the recording of the Threat Review for details of the analysis of the Waledac/Kelihos botnet. Also, if you are currently running PAN-OS 4.1, be sure to enable the WildFire feature in order to start finding and protecting yourself from unknown malware. A brief demonstration of WildFire along with configuration instructions are covered in the video linked above.