Guest Blog: How Much Spam Does Waledac Send?

Sebastián Bortnik, at ESET Latin America, kindly translated a blog they put up today here and allowed us to reproduce it for our blog. I think you'll find it interesting. Thanks, Sebastián!

The revival of the spread of the Waledac trojan is already a fact. As the ESET team announced on Thursday, on Friday spam emails began to circulate spreading Waledac executables masquerading as a video on YouTube, alleged to show a US Independence Day fireworks display conducted in the United States.

After 4th July, we have noticed an increase in the number of emails in circulation, and this week will be even more active. We believe that, like other campaigns, this one will last at least 15 days.

However, what many readers may be wondering is why Waledac was “asleep” so many months. The reality is that the Trojan wasn't spreading at that point. However, the botnet that was built with Waledac, remained as active as ever; working mainly to achieve their most important goal: to send spam.
 
At ESET Latinamerica’s Laboratory, we made some tests to enable us to share information with users that shows the importance of staying uninfected: if my computer is infected with Waledac, how much spam does it send?
 
We infected a computer on the laboratory with one of the Waledac trojans. We used a binary (MD5: 8036ce700043ce6dbe38561ff12d7f4c) that were circulated during the campaign of fake discount coupon distribution, for some time in February and March after Saint Valentine's Day 2009. This binary is detected heuristically by ESET NOD32.
 
After that, we used a tool to monitor network traffic to see how many emails were sent by the botnet, since the system became infected . We made an initial measurement in 4 stages over a period of one hour (at different times of day), and the results were as follows:

• Stage 1: between 18:00 and 19:00 hs. 6968 emails were sent 
• Stage 2: between 20:30 and 21:30 hs. 7148 emails were sent 
• Stage 3: between 10:00 and 11:00 hs. 5610 emails were sent
• Stage 4: Between 13:00 and 14:00 hs. 6568 emails were sent

Taking the average of emails sent per hour (6548 emails), it is estimated that an infected computer can send about 150,000 emails a day. To be even clearer, that represents nearly two emails per second.

These emails are sent using the resources of the infected systems. This is a clear example of one of the main advantages of botnets to the criminals who exploit them.

If we consider that the network is estimated to consist of at least 20.000 infected computers, it can be seen that the botnet has a theoretical spam-sending capacity of 3 billion emails daily. As indicated, this is only the theoretical capacity because not all infected computers are being used 24 hours a day for sending spam. However, this demonstrates the power of botnets as a distributed networking resource in general, and the particular potential of the Waledac botnet for spam email distribution.

Looking at the statistics presented here, many users will now understand why their computers work so slowly when their systems are infected ... and why is there so much spam!

Sebastián Bortnik
Security Analyst
ESET Latin America