Speaking Waledac

While it seems to be impossible to say whether waledac is the successor of storm or not, what we can do is take a look at the traffic encryption. They guys over at Shadowserver have already blogged some details about this. We at the Giraffe Chapter investigated waledac’s communication protocol further. Here are our results.

Waledac uses regular HTTP request to transmit command requests and to retrieve responses. It uses HTTP fast-flux proxies to hide the true origin of the command&control (C&C) server. Due to the fact that the regular Windows HTTP API (WinINet) is used, the traffic is hard to differentiate from regular HTTP traffic. Furthermore, it even allows Waledac to use proxy servers after the user has generally authenticated. The requests use POST and encrypted + encoded payload data: