Microsoft Takes Down 277 Waledac Botnet Domains

An operation launched by the Microsoft Digital Crimes Unit has successfully taken down a slew of command and control servers hosting the malicious spam botnet Waledac.

The Waledac takedown is the culmination of a months-long investigation and legal strategizing on the part of Microsoft in an effort known as "Operation b49." The software giant received a temporary restraining order on Monday from a federal court in Alexandria, Va. for VeriSign, which oversees the operation of the .com and .net top domains, to disconnect 277 domains associated with the botnet. The domains which were suspected to be hosted in China.

"At Microsoft, we don't accept the idea that botnets are a fact of life," said Tim Cranton, Microsoft associate general counsel, in a company blog post. "That's why I'm proud to announce that through legal action and technical cooperation with industry partners, we have executed a major botnet takedown of Waledac, a large and well-known "spambot."

As one of the top 10 largest botnets in the U.S., Waledac was one of the biggest distributors of online pharmaceutical spam as well as other fraud schemes and phony merchandise. Microsoft said that Waledac was estimated to have infected hundreds of thousands of computers around the world, retaining a capacity to send more than 1.5 billion spam e-mails per day.

Like the notorious predecessor Storm, Waledac employed a fast-flux technique, which rapidly changed the IP addresses of the Websites used to distribute spam in order to evade detection mechanisms tracking malicious servers.

Computers infected by the Waledac botnet were turned into drones and fell under the control of the botnet owners -- known as bot herders -- who used the compromised machines to distribute copious amounts of spam.

The botnet was particularly irksome to Microsoft, in part, because it affected approximately 651 spam e-mails targeting Hotmail accounts with scams related to knock-off merchandise, work-from-home job offers, and pump-and-dump stock schemes, as well as online pharmacies.

Microsoft claims that the legal action "quickly and effectively" cut off traffic to Waledac at the .com domain, which severed the connection it had to its hundreds of command and control centers communicating with hundreds of thousands of affected bot computers.

"Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet," Cranton said.

While Microsoft acknowledged that disconnecting Waledac from its domains was a first step, affected users will still have to deal with malware that still resides on their computers.

'The operation hasn't cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused," Cranton said. "Although the zombies are now largely out of the bot-herders' control, they are still infected with the original malware."

As a precaution, Microsoft recommends that users download Microsoft's Malicious Software Removal Tool, which cleans the Waledac malware from users' machines, while recommending that users install and maintain up-to-date anti-virus and anti-spyware to reduce risk of infection.

Tweet

   

More Security