Forgot your password?
typodupeerror
Botnet Microsoft Security IT

Microsoft Secretly Beheads Notorious Waledac Botnet 381

Posted by CmdrTaco
from the if-you-cut-off-one-head-do-two-grow-back dept.
Barence writes "Microsoft has quietly won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs. The notorious Waledac botnet is being used by Eastern European spammers to send 1.5 billion spam messages every day, and infect hundreds of thousands of machines with malware. In a suit filed in the US District Court of Eastern Virginia, Microsoft accused 27 unnamed defendants of violating federal computer crime laws. It further requested that domain registrar Verisign temporarily deactivate the domains, shutting down the control servers being used to send commands to the machines. The request was secretly approved by District Judge Leonie Brinkema, allowing the action to be taken covertly, preventing Waledac's operators from switching domains."
This discussion has been archived. No new comments can be posted.

Microsoft Secretly Beheads Notorious Waledac Botnet

Comments Filter:
  • by avarus (610800)

    ...but where will I get all my v14gra now??

  • by jeffmeden (135043) on Thursday February 25, 2010 @08:45AM (#31271340) Homepage Journal

    This is nice (if reactionary) but how long before we can get a court order to legally fight the botnet by 'infecting' the target computers with a patch, or at least some sort of message that warns the user to seek help?

    Would Microsoft ever go that far? Would that be admitting that the only solution to the holes in Windows is vigilantism?

  • Contingencies (Score:5, Interesting)

    by flink (18449) on Thursday February 25, 2010 @08:46AM (#31271346)

    Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

    • by Cyner (267154)

      1. If they were smart it's easier to make money legally than illegally.
      2. They have quite a few domains for a reason, and normally they don't all go dark at the exact same well-coordinated time.

      • Re:Contingencies (Score:5, Insightful)

        by Clover_Kicker (20761) <clover_kicker@yahoo.com> on Thursday February 25, 2010 @08:53AM (#31271434)

        1. If they were smart it's easier to make money legally than illegally.

        Really?

        • Re:Contingencies (Score:4, Insightful)

          by L4t3r4lu5 (1216702) on Thursday February 25, 2010 @09:13AM (#31271656)
          Indeed. I was just thinking "Hey, I could go out to work for a month, do 8 hours a day in a confined space staring at a computer screen, being breathed on by a boss who thinks that 30 seconds on /. is a sackable offence, stressed out of my mind as my skillset is quite over-subscribed at the moment and if I lose my job I'll be in a highly competitive workplace, or I could pull a kitchen knife from my home, go around to the closest atm, wait for someone to stick in their pin, and have all of their money!"

          Work isn't easy. If it was, we wouldn't be paid to do it.
          • No, work is easy (Score:4, Insightful)

            by SmallFurryCreature (593017) on Thursday February 25, 2010 @09:53AM (#31272060) Journal

            If you break your leg tomorrow. Were is your money coming from? Right, your boss. Sick leave. Burglers haven't got it.

            Neither can you boss turn out to be carrying a gun and blow your brains out rather then pay you.

            If you botch up your work, you won't land in a small cell with a guy named Bubba who likes you very very much.

            You ex-gf can't turn you into your boss, even if you really screwed up.

            A live of crime sound easy, but it isn't. If it was, more people would do it.

            Take the pirates of somalia, sounds like easy money, but how many regular sailors can have their brains blown out by a sniper and nobody gives a damn? And if you think it sucks that your wife wants your wages, wait till you have to deal with the crime hierarchy. They are like the IRS, but not as nice. Oh, and then there is the IRS who can hook you up with Bubba again if you can't account for every penny in your pocket.

            • by PopeRatzo (965947) * on Thursday February 25, 2010 @10:16AM (#31272272) Homepage Journal

              Sick leave. Burglers haven't got it.

              And increasingly, American workers haven't got it either, along with health care, retirement and other benefits. Shit, more and more American workers don't even have Saturdays off any more.

              Companies love contract workers just for that reason.

              Ask the "tech workers" around here, whether their working conditions, hours and benefits have increased or decreased every year since 1980.

          • by nedlohs (1335013)

            I doubt you'll earn more money robbing ATM users with your kitchen knife than an office job.

            ATMs have limits on withdrawals, people going to an ATM tend to be doing so because they don't have much cash on them.

            At some point you'll pick the wrong guy and get shot, or get caught and go to jail.

            Small time armed robbery sounds to me like the one of the worst ways to earn a living through crime too - the punishments are reasonably high, the risk of being identified and then caught are reasonably high, the risk o

          • It seems you've come to a conclusion, then. Do let us know how that works out for you.
        • 1. If they were smart it's easier to make money legally than illegally.

          Really?

          Yes, really. Just ask Tim Gaitner, Hank Paulson or any of the Chief Embezzling Officers or anyone working for Morgan Stanley.

        • by Actually, I do RTFA (1058596) on Thursday February 25, 2010 @11:21AM (#31273052)

          There are two ways to make a lot of money. Commit big enough crimes, or inherit it. Favorite method: Have your ancestors commit the crimes and then inherit it.

      • by Akido37 (1473009)

        1. If they were smart it's easier to make money legally than illegally.

        It's really not. If you've ever been involved with, or known anyone involved with selling illegal drugs, you'd know how false that statement is.

        • Re: (Score:3, Funny)

          by characterZer0 (138196)

          It's really not. If you've ever been involved with, or known anyone involved in politics, you'd know how false that statement is.

          • its actually pretty hard. you have to be a committed passionate demagogue

            sure, if you are in politics, its easy to rip people off

            however, its very hard to get in that position in the first place

            so, just as the post you are responding to says, it is easier to make money legally than illegally

        • Re:Contingencies (Score:5, Insightful)

          by Ifni (545998) on Thursday February 25, 2010 @09:11AM (#31271634) Homepage

          I tend to wonder at the accuracy of that assumption. I think that drug dealing is a lot like acting - people see all the famous actors and say "I can get rich as an actor", but don't notice that it is only the top one percent or so that truly make it - the rest struggle to get by, or make a moderate living at best. Additionally, as a drug dealer, you also have to avoid the law - being wildly successful for 5 years then getting caught and put in jail for ten to twenty makes flipping burgers more profitable an endeavor over the long term. Not to mention the rather short life expectancy of many of the most successful due to "competition".

          So, short term, yeah, dealing (or many types of crime) is easier than making money legally. But long term, you either have to be really good, and thus invest much effort in staying one step ahead of both the law and those looking to "replace" you, or you lose the advantage that crime had, and then some. And if you are investing the required effort successfully, you likely could have done equally well working legitimately. Sure, there are the Dons and Columbian drug lords that are the exception, but again - only the top 1% or less enjoy that privilege.

        • by TheLink (130905)
          In terms of $$$$$$$ obtained, I think the finance bunch have been doing pretty well. And lower risk too. When they supposedly screwed up they still got bonuses.

          All it takes is to not have a conscience or being able to fool yourself that you are actually adding lots more value than you are taking out.

          As the title of one book says: "Where Are the Customers' Yachts? or A Good Hard Look at Wall Street".
      • by Afty0r (263037)

        1. If they were smart it's easier to make money legally than illegally.

        Even if I wasn't handing over around half my income to the gubmint, I doubt this would be true. If it were true there wouldn't be many crims left...

    • by Tom (822)

      Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands?

      You'd have to store that IP somewhere, which means in the clients, which means it'll be found and either disabled or lead them right to your door.

    • Re:Contingencies (Score:5, Insightful)

      by Jahava (946858) on Thursday February 25, 2010 @09:11AM (#31271630)

      Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

      Well, here are a few thoughts:

      • Microsoft probably thoroughly reverse-engineered the botnet client code prior to seeking the court's assistance. Therefore, they have a very good understanding of the botnet's control algorithms. They probably derived those domain names and took those specific measures in response to their understanding of those algorithms.
      • For a botnet, hard-coding IP addresses could be riskier than DNS names. If someone is trying to shut you down, it's easier on their part to pick a specific set of IP addresses and (with cooperation of their respective ISPs) get them shut down or (without said cooperation) firewalled.
      • For a botnet, it's much faster and easier to change your IP address and update a DNS entry, leaving the botnet code alone. If you have to change those hard-coded addresses, you have to not only rebuild and push new code, but update every infected system (and any network admin on a legit controlled network knows that there can be issues with this). With the DNS entry they have a central point to update.
      • I'd not be surprised if Microsoft chose this specific botnet because it had a vulnerability that was within the reach of a court to address

      As others have pointed out, this teaches every other botnet author a lesson on what can be done. The problem ain't solved by a longshot, but maybe the Internet is safe for another night (cue Batman music).

        • Microsoft probably thoroughly reverse-engineered the botnet client code prior to seeking the court's assistance.

        Sounds like a DMCA violation if you ask me. Won't someone think of the (botnet) authors?!

    • Re: (Score:3, Insightful)

      by Deathlizard (115856)

      Domains and IRC are dead ends for current botnets anymore exactly because authorities can shut them down.

      The newer botnets use Peer to Peer networks for command and control. Either a In House private P2P or (most likely since they're already established) a public P2P like Kademila or Gnutella. Then all you would have to do is search the network with a authorization string+botnet command string embedded in it(IE: randomhexspamtheworld). When the bot receives the search string, it validates against the author

  • Probably a one off - botnet designers will now write in contingencies so that access can be re-established in the event of visible domains being taken off-line. In fact - i'd be surprised if Waledac didn't rise from the dead.
    • I would have it passively scan well-known websites for hidden messages. For example, browse Slashdot at -1 and pick up posts which contained a specifically formatted payload. Once the message was decoded, verify the message's signature against a public key and execute the payload.

      Or on places which allow for image uploading. Use steganography to embed the payload into the images. Or Twitter status messages... look for specific hashtags such as #flamewar or something relatively obscure then follow the UR

      • Re: (Score:3, Funny)

        by Missing_dc (1074809)

        ##Monkey Cow Chicken Fly 128!k93>>22k5gg91

        I find your proposition utterly preposterous! ;)

  • Presumably if Microsoft have done their homework, they have identified every possible machine that these bots could try to contact to receive new instructions (such as new SPAM messages to send) and had VeriSign disable every domain name so it cant be registered or used.

    Does this mean the botnet is dead?
    If so, great. And lets hope people are working to repeat the excercise and block the domain names used for control of any other botnets that talk to specific servers by name for instructions.

    • If i was a botnet author, i would keep a list of my zombies and code the bots in a way they respond to a secret password.
      Thus it doesn't really matter if a command center is down, i could just start a new one and it reclaims all orphaned zombies.

      Cutting a few command centers is futile.
      The only solution is to burn all zombies overnight and prevent reinfection.

      • by Tom (822)

        If i was a botnet author, i would keep a list of my zombies

        Which would leave a trace back to you, because that list has to be assembled somewhere.

      • by jonwil (467024)

        Given the way these worms/trojans spread and the sort of PCs they are most likely to infect, even if you COULD compile a list of valid IP addresses its a good bet that those machines would be
        A.No longer infected (because its been cleaned by the Windows Malicious Software Removal Tool or by anti-virus or by a re-image of the computer from a recovery partition/CD/DVD or a standard corporate disk image)
        B.Firewalled off (corporate networks etc)
        C.Running behind NAT (again corporate networks using NAT or home use

  • by Max_W (812974)

    1,5 billions of spam messages per day. Multiply each message by 10 seconds of working time it takes to activate e-mail window and delete the spam-message, and it becomes clear what damage to the word economy it brings. Let alone disrupted work-flow.

    It is the weapon of mass economic destruction.

    Such spammers should be warned, once, twice, and if they do not cool down a drone should come above their building and shoot a "Hellfire" missile right into the server room.

    Or at least black-clad agents should enter t

  • Deactivated? (Score:3, Insightful)

    by gmuslera (3436) on Thursday February 25, 2010 @09:09AM (#31271588) Homepage Journal
    New set of domains acquired and botnet spamming again in 3..2..1..
  • by LifesABeach (234436) on Thursday February 25, 2010 @09:09AM (#31271596)
    No one knows they exist.

    And sometimes, that's a good thing...
  • by OzPeter (195038) on Thursday February 25, 2010 @09:24AM (#31271756)
    Is today the day we like Microsoft?? I just want to make sure I have that right. Its not some trick to cover them acting like vigilantes is it??
  • As glad as I am when botnets are crippled or shut down, I can't help but ask: Why is Microsoft the one pursuing this in court, rather than the government? Under what legal principle does Microsoft, a private corporation, have standing to sue for control of these domain names?

    • by tnk1 (899206)

      You must have missed where Microsoft bought out the government. Please report to your local Microsoft (Re)Education Center for more details. Bring your passport.

    • Re: (Score:3, Insightful)

      by VertigoAce (257771)

      I assume that by owning @hotmail.com and @microsoft.com, Microsoft itself was the target of a large amount of spam from this botnet. That would give Microsoft standing to sue, as well as a lot of evidence to back up its claims.

  • by RichMan (8097) on Thursday February 25, 2010 @09:41AM (#31271922)

    At least that is what the headline could be. Disabling foreign internet service is a big deal.

    Could be a serves them right for registering as .com rather than .country. But this is one branch of the US government disabling some foreign infrastructure.

  • by aapold (753705) on Thursday February 25, 2010 @09:57AM (#31272096) Homepage Journal
    Going by the microsoft graphic of the operation [microsoft.com], they could just arrest people who wear dark sunglasses and colored head scarves.

The trouble with opportunity is that it always comes disguised as hard work. -- Herbert V. Prochnow

Working...