The Waledac botnet taken offline in February 2010 remains very much dead, but the code used to create the spamming botnet has been retooled for a more sinister purpose: stealing passwords.

Security vendor Palo Alto Networks says it detected a new variant of the Waledac botnet targeting its customers' networks beginning on Feb. 2, with portions of the same code used by Waledac. "The new version has upgraded its malicious abilities to include stealing of passwords and authentication data," Palo Alto said in a blog post yesterday. "This includes the ability to sniff user credentials for FTP, POP3, SMTP and steal .dat files for FTP and BitCoin. All of this information is uploaded to the botnet, and of course would be very valuable for enabling further attacks."

The original Waledac was taken offline by Microsoft two years ago, when the company severed the connection between the botnet's command-and-control servers and the thousands of zombie computers it was controlling. With court permission, Microsoft took over the domains used to run the botnet. "To avoid confusion it is important to note that this is a new variant of the botnet, and not the original version, which remains under the control of Microsoft," Palo Alto noted.

Before updating its signatures to block the botnet's malware, Palo Alto detected it on 30 or 40 customer firewalls, primarily in Europe. The exact scope isn't known yet, but it is clearly smaller and more targeted than a typical spamming botnet, and also more threatening. Infections are occurring through Web browsers, though the exact delivery method is also still under investigation. While a spamming botnet "would grow as fast as it can and infect as many people as possible," this one is "staying a bit lower to the ground," Palo Alto Senior Security Analyst Wade Williamson tells Ars. The change in behavior from spamming to password-stealing "has to be scary for a lot of enterprises," he said.

The re-use of Waledac code is similar to what has happened with Kelihos, another botnet whose code was reused to create a second botnet after the original was dismantled. Microsoft did not say whether it is tracking the new botnet spotted by Palo Alto, but provided Ars this statement from Richard Boscovich, the senior attorney in its Digital Crimes Unit: "Since taking down the Waledac botnet in 2010, the botnet remains dead and Microsoft continues to control the domains once used by the botnet’s operators. We also regularly work with ISPs and CERTs around the world to help people remove the Waledac malware and regain control of their computers."