Microsoft Secretly Beheads Notorious Waledac Botnet

Barence writes "Microsoft has quietly won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs. The notorious Waledac botnet is being used by Eastern European spammers to send 1.5 billion spam messages every day, and infect hundreds of thousands of machines with malware. In a suit filed in the US District Court of Eastern Virginia, Microsoft accused 27 unnamed defendants of violating federal computer crime laws. It further requested that domain registrar Verisign temporarily deactivate the domains, shutting down the control servers being used to send commands to the machines. The request was secretly approved by District Judge Leonie Brinkema, allowing the action to be taken covertly, preventing Waledac's operators from switching domains."

One step toward active botnet fighting?

[jeffmeden]

This is nice (if reactionary) but how long before we can get a court order to legally fight the botnet by 'infecting' the target computers with a patch, or at least some sort of message that warns the user to seek help?

Would Microsoft ever go that far? Would that be admitting that the only solution to the holes in Windows is vigilantism?

Contingencies

[flink]

Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

Re:"East European"

[FyRE666]

It's not crap in the OS that causes the vast majority of infections. It's crap in the user's heads.

Why not just add code to check for an infection in the next Windows update. If found, then the user is presented with a dialogue at every boot that they must ok, and prevents them from logging in for 5 minutes for the first boot, increasing by 1 minute for each subsequent boot. Even lazy idiots will eventually get sick of this and do something about their machines.

Re:Contingencies

[TheLink]

If I wrote malware (I don't), I'd use google, other search engines and maybe even twitter (but that's probably covered by search engines nowadays) to search for new instructions :). So you could post the instructions "anywhere" in the world along with keywords. The search engines would find it. Naturally you'd check the signatures to see if the instructions are valid.

I'd also write the malware in perl. Pretty easy to do such stuff with perl - can also fork and run the instructions in an eval (if you think people are going to crack your malware). It'll be interesting to see how the AV people cope with TIMTOWTDI. Probably trivial to whip up equivalents in python or similar.

Such malware could run on windows, Linux, *BSD, OSX :).

Re:Contingencies

[maxume]

Slashdot comments would be a great place to put a bot domain lookup (you could check every story for anonymous comments containing domains, check every story in a certain section for anonymous comments containing domains, or even check a certain account).

The relatively strict attitude about 'freezing' things means that they probably wouldn't disappear, compared to blog comments, where a given blogger might zap stuff or not.

Cyber war initiated by DOJ

[RichMan]

At least that is what the headline could be. Disabling foreign internet service is a big deal.

Could be a serves them right for registering as .com rather than .country. But this is one branch of the US government disabling some foreign infrastructure.

Re:One step toward active botnet fighting?

[derGoldstein]

I'm waiting for the visualization software that will display the fight. Maybe you could place bets...

Re:It pains me to say this...

[Anonymous Coward]

Whenever I see Microsoft pull off some sophisticated maneuver like this to nail some online crooks, my thought is always this: "and that's REALLY easier than just securing Windows exploits in order to prevent such botnets from forming in the first place?!?!" Do they have more lawyers than programmers?

Re:"East European"

[Anonymous Coward]

That's true but not an excuse for a stuck throttle...

Re:Contingencies

[2obvious4u]

That is a bad assumption on his part. Drug dealers have different priorities than most people. I used to know people who would gross 100k a week dealing drugs. The thing is they would have to pay 60k back to the suppliers and then they would split 10k each and would pick up girls and take them on shopping sprees to get laid and would spend the rest on stuff like cloths and drugs for themselves. They really didn't have any money left at the end of the week. Owning houses that you bought with drug money doesn't work out very well when the IRS comes knocking, so they would blow all their funds on consumables during the week.

Eventually they got caught and spent about 5 years in jail each. But for the 2 or 3 years they were earning that kind of cash and spending it on cloths, cars, women and drugs they lived like rock stars. The problem is that you do get caught and it is a very rough life. You have to have a very low moral standard that most of society can't stomach. But from the pictures it looked like a lot of fun. Even knowing about the 5 years hard time at the end.

Oh, and women like drug dealers. You get a girl hooked on your supply and you can get laid whenever you like. Not everything can be measured in dollars.

MS' OS facilitates malware

[Anonymous Coward]

It's not crap in the OS that causes the vast majority of infections. It's crap in the user's heads.

No, it's the combination. On most OSes, it's harder for a user to shoot themselves in the foot, than it is on Microsoft's OSes.

One big difference that leaps to mind, is that Microsoft OSes use the filename to decide whether or not something is executable. Have a user save malware.exe and then click on it, and it will run.

On Linux and MacOS, after the user saves malware, they have to chmod +x malware, and then they can run it. Right there, when the user has to explicitly enable the malware, they know it's not a harmless media file; they are having to acknowledge that it's a program. And programs, unlike media files, can do whatever the fuck they want to do.

MS also has application problems. Ok, so this isn't the OS' fault, but when you get into things like MS Word and MS Excel, the apps are remarkably bad. Who would have thought that a word processor needs the ability to execute a script (written in a fully-expressive language and executed without a sandbox!) embedded inside a document, automatically when the document loads? So MS blurred the line between media and programs.

It's a really bad platform for security, not just because it happens to be widely deployed, but because it's just plain bad, compared to any average normal OS (I'm not even trying to hold it up against OpenBSD or something like that).

You do not want non-geeks using it. Windows is a platform only suitable for computer experts, which is pretty funny since no computer expert wants to have anything to do with it.