Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Microsoft wins a court order to shut down the Waledac botnet

Microsoft wins a court order to shut down the Waledac botnet

  • Comments 2

A number of places are reporting that Microsoft was won a court order to shut down the Waledac botnet.  Both the Wall Street Journal (registration required), The Register and ComputerWorld report on it.  Quoting from the ComputerWorld article:

Microsoft said late Wednesday that it had been granted a court order that will cut off 277 .com domains associated with the botnet. This will effectively knock the brains of Waledac off the Internet, by removing the command-and-control servers that criminals use to send commands to hundreds of thousands of infected machines.

Thought to be used by Eastern European spammers, Waledac has been a major source of computer infections and spam over the past year. Microsoft believes the botnet can send over 1.5 billion spam messages daily.

In a lawsuit against the unknown spammers behind Waledac, filed Monday with the U.S. District Court of Eastern Virginia, Microsoft argues that Verisign, which manages the .com domain, is a choke-point for the botnet. The court has apparently ordered Verisign to remove the botnet's command-and-control domains from the Internet.

"This action has quickly and effectively cut off traffic to Waledac at the '.com' or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world," Microsoft said in its blog post announcing the effort.

Microsoft designed its lawsuit so the court order would sever the control ties to the botnet before its controller had time to react. "That unplugging of the Internet connection had to be done without him knowing," said Richard Boscovich, a senior attorney at Microsoft's digital crimes unit, in a video on the blog post.

So, to summarize what’s going on here, computers infected with the Waledac botnet need to get their instructions from somewhere.  These instructions live elsewhere on other infected computers, sometimes a fastflux domain.  For example, Computer 1 has waledac and needs to talk to spam_viagra.com in order to know what to spam and who to spam.  By forcing the domain spam_viagra.com offline, Computer 1 no longer knows what to spam nor who to spam.  It cannot download new sets of instructions because the place where it wants to connect to no longer exists.

An operation like this requires a pretty quiet channel of execution.  Like the blog post says, the operation had to be done without the botnet owner knowing and before he could have a chance to proactively take measures.

The ComputerWorld article continues:

Because Waledac uses peer-to-peer techniques to control hacked boxes as well, Microsoft has more work to do, however.

"It's a busy night tonight and tomorrow is probably going to be a busy day as well," said Jeff Williams, director of Microsoft's Malware Protection Center in an e-mail interview.

Williams didn't provide details on what Microsoft was doing to further attack Waledac, but in its blog posting the company said it is "taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet." Microsoft expects to "continue to work with the security community to mitigate and respond to this botnet," the post states.

Known internally as Operation b49, Microsoft's takedown operation "was the result of months of investigation and the innovative application of a tried and true legal strategy," Microsoft said.

Peer-to-peer is different.  Peer-to-peer is when infected computers talk directly to each other.  An infected Computer 1 would talk directly to Computer 2 which in turn be talking to Computer 3.  This type of action can be more complicated because the web of network connections are more complex and figuring out which sets of instructions are malicious and which are legitimate is not easy to figure out, particularly if the connection is encrypted.

 

image

You can see from the above diagram that the network mesh contains a couple of redundant techniques for communication within the botnet’s infrastructure.  While I’m not privy to this type of information, there are a number of tools that Microsoft is doing in order to disrupt this particular botnet:

  1. Shutting down *.com’s that host Waledac instructions
  2. The free distribution of the Malicious Software Removal Tool to registered and unregistered users of Windows cleans up the malware that distributes it in the first place
  3. The free distribution of Microsoft Security Essentials that proactively keeps your machine clean (MSRT is not real time)

The battle continues, but temporary victories are nice to achieve from time to time.

Leave a Comment
  • Please add 5 and 7 and type the answer here:
  • Post
  • "Microsoft believes the botnet can send over 1.5 billion spam messages daily."

    How does Microsoft count "spam messages"?  Is a spam mail with 15 recipients counted as 1? or is it counted as 15?

    According to my own botnet statistics (http://botnet-tracker.blogspot.com/), the mail/recipient ratio has been around 1:30.  Knowing how Microsoft counts spam messages will enable us have a correct estimate of the spam and botnet problem.

  • Does MS implement a broken NS resolver so that lookups against these names fail?

Page 1 of 1 (2 items)