Under Attack? Call (844) END.DDoS

Walking Waledac

First, it looks like Waledac is the Storm Worm infrastructure and group but with new malcode. I now fully support this conclusion and have for several days based on evidence from reliable sources.

OK, now that that is out in the open, one of the things we in the research community noticed about the Storm Worm network was that nodes acted as both an HTTP proxy and an open recursing DNS server. This is useful if we want to get geographically dispersed queries because the network itself is global in nature. So, I wrote a small program dubbed “nswalk” that queries the Storm nodes for their own domain names. What you do is seed the tool with a domain name like “livechristmascard.com” and an IP address of a name server and voila, it gets to work. It queries the DNS server and gets an IP back for the name, then goes to that new IP to ask it the same question again. Lather, rinse, repeat … Since they’re open recursive resolvers and, at least at present, the names have a 0 second TTL, every time you query the server you’ll get a fresh, non-cached answer. And because you’re talking to new servers you can minimize the geographic biases the system may introduce. Keep track of when you got the answers and you have a very interesting data set.

So, a friend of mine, C, ran this for many hours over the domain names and found some interesting results. So far, two data sets pop out almost immediately. The first is unique IPs for the network by hour in his run. Data was collected over the 11th and 12th of January using the “nswalk” tools I shared with him. There’s a couple of strong biases in there for a few hours that may indicate a strong geographic bias (e.g. Europe, Asia or North America) but I haven’t dug into the data to see if that’s the case.

Waledec nodes found by hour, all domains

The second data set is the number of unique IPs for this measurement (~30 hours worth) by domain name. Except for a few exceptions they’re all roughly in the same ball park, just like we saw with the previous batch of Storm Worm fast flux domain names.

Waldec nodes by domain name

The tool gathered 1336 total unique IPs overall in its run. Again, consistent with active DNS mining measurements of the visible parts of the Storm Worm network.

Many thanks to C for running this experiment. We’re still digging into the data to see what else is hiding in there.

Related research:

Edited to fix my typo-ing of the name of the malcode.