Microsoft-Led Task Force Busts 'Waledac' Botnet
- By Herb Torrens
- February 26, 2010
The Botnet Task Force, which is headed by Microsoft, has been credited with taking down one of the world's largest spambots with a federal court injunction issued this week.
Microsoft's Digital Crimes Unit, in conjunction with the Botnet Task Force, took legal action this week after months of investigation into a botnet known as W32.Waledac, which according to Microsoft had the capability to send as many as 1.5 billion spam e-mails a day.
"In an effort to be more creative and aggressive in the fight against botnets, we decided to approach the problem by decapitating, and thereby largely disabling, Waledac by cutting the ties between its central command and the individual 'zombie' computers under its control," noted Richard Boscovich, senior attorney in the Digital Crimes Unit, in an e-mail.
Microsoft joined experts from Symantec, The Shadowserver Foundation, International Secure Systems Lab, several universities and others in an effort code-named "Operation b49" to file a legal injunction -- "Microsoft Corporation v. John Does 1-27, et. al." -- against unidentified "bot herders" allegedly behind the Waledac botnet.
A temporary restraining order that essentially severed 227 Internet domains was issued by the U.S. District Court of Eastern Virginia on Feb. 22.
"This is a big step for us in our ongoing effort to thwart criminals using the Internet for financial gain," said Andre' M. DiMino, co-founder and director of the non-profit Shadowserver Foundation. "The fact that the court recognized the threat of the distribution architecture, and suspended the domain names associated with Waledac, basically chopped this botnet off at the knees."
The first variant of Waledac was discovered in April 2008, according to court records. Symantec started tracking the variants in December of that year after the spambot began sending Christmas-themed e-mails that compromised computers and turned them in to spambots, according to a declaration filed in court by Dean Turner, director of Global Intelligence Network for Symantec.
"Waledac was an especially malicious malware because it used the fast-flux technology to change the IP address associated with a domain name, and it could do it 10 times in a half-hour," Turner said in a telephone interview. "It effectively hid domain names, which made it very hard to track."
Propagation of Waledac was achieved through a worm that entices users to respond to an offer. It would offer holiday-themed e-cards or topical news stories, or even inform the user of a security threat and then mimic Web pages that provide a solution. The worm installs itself when the user clicks on the malicious link and downloads the file.
According to Turner, the compromised computers turn in to "zombies" and become relay nodes for the botnet. Waledac deployed multiple methods to propagate and sustain itself, including the fast-flux DNS that allowed it to launch e-mail queries seconds apart with changing IP addresses for the host.
"It's not organized crime in the sense of cyber-'Sopranos,' but there are gangs or groups of individuals who are financially motivated to attack users," Turner said. "We've been working behind the scenes to disrupt these perpetrators because it's not just a Microsoft problem, it's everybody's problem."
Turner estimated that gangs controlling botnets such as Waledac could reap millions of dollars in illegal revenues before their operations are disrupted.
"I think Microsoft and its coalition of partners in the Botnet Task Force did the general public a great service by taking down this threat," said Michael Cherry, vice president of research on operating systems for Directions on Microsoft, in a telephone interview. "There's a huge ecosystem of Windows users and this effort is protecting that ecosystem."
On its Web site, Symantec identifies Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003 Windows 2000 as systems with vulnerabilities that could be affected by Waledac.
"It's like that old Willie Sutton response when asked why he robbed banks: 'That's where the money is,'" Cherry said. "Windows is the big target because of its large footprint, but who knows? Cell phones and mobile devices could be the next big target."
On the preventive side, Symantec's Turner said it is much harder to defend against malicious attacks than to create them, but significant progress is being made through coalitions like the Botnet Task Force.
"We are getting much better at identifying threats and actual perpetrators," Turner said. "As the [software] community comes together and puts aside competitive differences to achieve a common goal, progress will be made, and these guys will know that we are coming after them."
Herb Torrens is an award-winning freelance writer based in Southern California. He managed the MCSP program for a leading computer telephony integrator for more than five years and has worked with numerous solution providers including HP/Compaq, Nortel, and Microsoft in all forms of media.