Forgot your password?
typodupeerror
Botnet Microsoft Security IT

Waledac Botnet Now Completely Offline, Experts Say 91

Posted by kdawson
from the it's-dead-jim dept.
Trailrunner7 writes "After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero. One researcher said that Waledac now seems to be abandoned. 'It looks crippled, if not dead,' said Jose Nazario, a senior security researcher at Arbor Networks."
This discussion has been archived. No new comments can be posted.

Waledac Botnet Now Completely Offline, Experts Say

Comments Filter:
  • by fuzzyfuzzyfungus (1223518) on Tuesday March 16, 2010 @03:20PM (#31500020) Journal
    That is not dead which can eternal lie.

    And with strange aeons even death may die.
    • by GuJiaXian (455569) on Tuesday March 16, 2010 @03:29PM (#31500142) Homepage

      If spam was about Cthulhu, I probably wouldn't mind it so much. If spam *is* Cthulhu, well, I'm avoiding the Hormel section at the grocery store from now on.

    • Now they want to kill spam and viruses. Sheesh. I thought they were all about generating jobs, not killing them. If they keep killing botnets and viruses and stop creating widely-deployed web browsers and operating systems with no reliability and security, who's going to keep paying us to keep fixing these things all the time? Tell them to bring back win98 and the com2: irq conflicted dial-up modems. That was great, generated tech calls all day long. At least we have usb, fast-mutating, and browser-inst
      • Dear Sir or Madaam:

        My name is John Waledac. I am the designer and owner of a profitable spam company. Recently, my company has fallen upon hard times as several of our servers have broken down. We have the funds to replace these servers, but it will take several weeks to transfer the funds from our bank in Nigeria. This delay could cost our company thousands of dollars. This is where you come in. I am seeking investors to loan up to $100,000 for the purchase of new servers. When the funds from Nig
      • Re: (Score:2, Interesting)

        by Lotana (842533)

        While the parent is intended as a joke, the idea that quality software will put people out of work is quite widespread among people in IT. Which is quite a sad state of affairs as it is such an obvious case of a broken window fallacy. [wikipedia.org] Rather then spending resources on fixing up damage, it is much more production to direct it on creation of new things or modifying existing to better meet the demand.

        Is the source of this attitude the built in obsolescence idea from manufacturers? Do developers really think th

  • by 0racle (667029) on Tuesday March 16, 2010 @03:23PM (#31500062)

    question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections

    I think everyone knew the answer was, no it will not have an effect on spam levels or malware infections. Oh it succeeded in taking the botnet offline, MS did something real here, but taking just one offline doesn't mean much.

    • by Volante3192 (953645) on Tuesday March 16, 2010 @03:38PM (#31500270)

      Useless in what way? Sure, on a global scale spam is still rampant, but they did show the tactic used has promise and worth pursuing.

      True, we can't say for certain whether the tactic actually cut the head from the body or if operations were just moved to a new botnet and the original Waledac CENTCOM let MS think they had their victory but it's something, which is a little bit more than we had prior.

      • by Moryath (553296) on Tuesday March 16, 2010 @04:02PM (#31500606)

        Sadly true. Waledac might have been a "mature and no longer really expanding" botnet. Botnets do have a certain shelf-life before they start to die through attrition; either the maker comes up with a new propagation method (virus/etc), or it hits a point and stops really expanding, followed by the slow inevitable decline as machines die, or get reformatted, or get overwritten by a newer botnet. There have been botnets that targeted other botnets for invasion/absorption quite a few times.

        If this can help catch and destroy botnets earlier on, it might be more effective.

        The better goal should, of course, be to make systems (and users) more spam-proof. User education would be a good start, as would home ISP's putting everyone's computers behind a proper NAT rather than using cable modems that expose the user to the naked wild. I've seen more home users who "just put up with" what would seem to be obvious virus/problem behavior merely because they were terrified of having to back up their data or reformat...

        • Re: (Score:1, Informative)

          by Anonymous Coward

          putting everyone's computers behind a proper firewall

          Fixed that for you.

          • by Sir_Lewk (967686)

            Really. People need to learn that 'stateful firewall' and 'NAT' are two completely different things. Especially with ipv6 hopefully being deployed enmass sometime this century.

            • NATs provide many of the same benefits as a firewall, and most NAT-ing devices have a SPI Firewall included. Ever wonder what that "enable SPI" function on a linksys does?

              AFAIK NAT is as much protection as the average home user needs-- they wont know how to get a more serious firewall working properly (ever try to show a user how to configure one of those software firewalls to allow their favorite app?), and viruses will find a way around software firewalls anyways (ie, bypassing them with kernel level
              • NAT and SPI will serve the same purpose in this instance. However, NAT is not required for SPI and is not interesting in a firewall discussion IMO.

                NAT merely creates a situation where the packets run into a dead end if not explicitly told to go someplace. SPI is the opposite, where a dead end is created explicitly for a packet that would normally be forwarded.

                NAT in all but niche cases serves no purpose with IPV6. A firewall set to filter all inbound packets would serve the same purpose as NAT does tod
    • but taking just one offline doesn't mean much.

      Actually, it does. It means that a botnet CAN be defeated. We constantly see stories about how control servers are up and going again hours or days after some are taken offline. A good step to solving the problem is proving that a solution can actually exist.

    • by plover (150551) * on Tuesday March 16, 2010 @03:41PM (#31500310) Homepage Journal

      This was a lot larger than taking down a rogue host. This is 1,500,000,000 fewer spams per day on the net.

      Cut out two billion spams here and there and pretty soon you're talking about real effectiveness.

      Sure, they could probably do more, but every journey begins with a single step. Shut down the easy ones first. Pick the low-hanging fruit. Then go back and take down another, and another. At this point it could be all they could get done in a short amount of time, and in any case it's still a good start.

    • by Alwin Henseler (640539) on Tuesday March 16, 2010 @03:42PM (#31500330) Homepage

      As long as the source of the spam/malware problem isn't held accountable, nothing much will change.

      The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business, their CEO's thrown in jail ASAP (through whatever -legal- means), and profits confiscated to support the anti-spam operation.

      Focussing on botnets is a good thing, but IMHO useless. Focussing on the folks running them is better, but the next botnet-operator-wannabee will step right in. Instead, efforts should focus on the businesses paying these fuckers.

      • Re: (Score:3, Insightful)

        by David Jao (2759)

        The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business ...

        The majority of spam today does not conform to this model. A 419 scam [wikipedia.org] leads to Nigeria, where anti-spam laws do not apply. Stock spam [wikipedia.org] promotes a company, but the company being promoted is neither responsible for the spam nor profits from it. Even for the small minority of spam that does directly promote a company product, your proposal accomplishes nothing other than to open up a new way for enemies of a company to anonymously destroy said company: namely, simply send out forged spam to promote the company'

        • What about Blue Frog [wikipedia.org] antispam? Seemed to work well enough to get a ton of spammers to DDOS them off the map, not to mention the reports of backbone router tampering. I remember when this was going on, and the size of the attack was pretty staggering.

          Sure, spam has changed since then, and a lot of the websites that are offered via spam disappear very quickly, but a solution that harnesses the collective power of users to effectively perform a legal DDoS on networks originating spam seems like a very po
        • Re: (Score:2, Interesting)

          by stonewallred (1465497)
          If the US government was serious about ending spam, it could be done easily. Of course the government is not interested, but the capabilities are there. Most bot-net operators are not nameless, faceless shadows. They just live in places that will not prosecute them or cooperate with the US. If Microsoft or Google slapped 1 million dollar bounties on the fuckers if they are delivered to US soil, the bot-nets would shut down so fast your head would spin off.
    • by IamTheRealMike (537420) <mike@plan99.net> on Tuesday March 16, 2010 @04:00PM (#31500588) Homepage

      There aren't that many botnets out there. I think most reputable observers peg it at around 6 or 7 big ones, from a spam perspective anyway. So taking one down is actually pretty awesome. Remember when McColo disappeared and spam levels dropped massively overnight? It wasn't that McColo itself pumped out spam, it was that the botnet C&C servers lived there.

      As somebody who actually has to deal with the impacts of large botnets as part of my job at Google, I'd like to congratulate and thank the guys at Microsoft for this victory. Whether it has a noticeable impact on spam or not, it sends a powerful message to people thinking of making their own botnet - it can all end suddenly.

      Building and maintaining a botnet is already pretty hard work .... between AV firms, Microsofts MSRT, users noticing problems and wiping the OS, removals by rival botnets and generally improving PC security botnet building has gone from something every man and his dog was doing to something very few can do well. Hardly any botnets become big. Most abuse I deal with comes in via bots that are apparently being shared or rented out to different (sometimes competing) spammers. That's an encouraging sign.

      • Hardly any botnets become big.

        They don't have to become big once they reach their target. Too big attracts unwanted attention.. Expect more focus and a more "subtle" approach.

  • Its dead Jim.
  • I'm finding it hard to believe that MS brought down the behemoth by secretly bringing down those domain names.

    On the other hand, maybe the little miscreants that created this botnet actually made the assumption that the domains couldn't be suspended. That still brings up the question, how long can this court-ordered suspension really last? Indefinitely is not a definite answer.

    Going to go check my spam folder now... maybe it's got less crap in it now.

    • A court order to remove domain name registrations could certainly be permanent. Even if it was a theoretically legitimate action (not the case here) since you have to re-register every year anyways, it's effectively a $5 loss to lose a domain permanently.

      • Re: (Score:3, Interesting)

        by idontgno (624372)

        What MS should do is to re-register the domain names and point them to a C&C server they host. Then they have a wild botnet in a cage to be researched until they can find the best way to eradicate the thing, and others like it.

        Or else command it to DDOS their foes. MWAHAHAHA!

        • Re: (Score:3, Funny)

          by Lumpy (12016)

          What MS should do is to re-register the domain names and point them to a C&C server they host

          What kind of C&C server? Red alert? Tiberium wars? I prefer a Generals C&C server myself...

        • Re: (Score:2, Informative)

          by Anonymous Coward
          Since the only responses you have at the moment are smart-ass, I'll respond seriously.

          While I'm unsure of the specifics of this particular botnet, most of the big current botnets cryptographically sign commands, and ignore any that don't validate. Which means that unless there's a flaw in whatever encryption they used, there's nothing that approach would do other than waste money on domain name registration.
          • by idontgno (624372)

            That's why I said "research". When you take possession of a house after foreclosure or seizure, sometimes you have to take some time to pick the locks.

            The bots will contact their C&C servers. Find one a bot that you can get client-side access to. Study the malware from both ends. Reverse-engineer the crypto.

            At a minimum, there's a list of bot clients you can work thru to de-fang and clean up.

            • by Sir_Lewk (967686)

              Modern day crypto is not your grandfathers cesarean cipher. One does not simply "reverse engineer RSA [wikipedia.org]" which is undoubtably what they are using if they are smart.

              Strike that, "which is undoubtably what they are using if they possess the knowledge of your average freshman CS major". It's not exotic stuff.

              • by idontgno (624372)

                Again, you have access to both endpoints. For instance, you have a credible chance at cracking it if you can monitor cleartext in the process space of the client system.

                Or, you know, maybe not, since teh evil h@x0rs are so 1334. Maybe we should all just surrender now and put in our recurring purchase order for herbal v1@gra or whatever.

                Feh. Botnet takeover is a historical fact. It may be an arms race, but there will always be a defender response. And don't forget the classic anti-DRM mantra: in some place,

                • by sopssa (1498795) *

                  Oh, nice amount of talking without knowing anything here. I suggest you take a look at Public-key cryptography [wikipedia.org]. There is no way you're going to crack such + RSA by "monitoring cleartext". If you do, and sure let us know when that happens, you're just pwned every single government, bank, company, telecommunications line and Internet in the world.

                • by Sir_Lewk (967686)

                  The security of any good cryptosystem must rest solely on the secrecy of the key, not the secrecy of the implementation details. This is Cryptography 101 stuff here, you can't just "capture the enemy enigma machine" and call it a day anymore. Read that link I gave you before you make yourself look even more of a fool.

                  The bots presumably have a copy of the public key and will only listen to commands signed by the private key. Only the original command server has the private key, given the public key you c

                  • by idontgno (624372)

                    I don't normally respond to arrogant tards, but I'll make an exception in your case.

                    The plaintext you're looking for is the private key. This is a fully automatic system, so the key has to be stored someplace. If you own both endpoints, you almost certainly own the keystore. If the keystore is protected, the passphrase (or equivalent) to open it is also stored someplace in the clear (or obfuscated, which is reversible).

                    Got it?

                    Now, admittedly, if the keystore is on a third server someplace, it becomes harder

                    • by Sir_Lewk (967686)

                      The plaintext you're looking for is the private key.

                      Your terminology is all fucked up because you still have not bothered to research what you are talking about. Keys are keys, plaintext is plaintext, and ciphertext is ciphertext. Do not confuse them.

                      If you own both endpoints

                      But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.

                      If the keystore is protected, the passphrase (or equivalent) to open it is also stored someplace i

                    • by idontgno (624372)

                      But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.

                      THUMP. THUMP.

                      That's my forehead on the desk. You're right, the good guys don't have access to the real C&C server. Therefore, the command signing process can't be spied. Therefore, there's no way to spoof valid signed commands.

                      I lost track of the "not owning the real server" issue. That's what happens when you fall in love with an idea; love is blind.

                      So, lacking any wea

                    • by plover (150551) *

                      Just because someone pinged me in this thread, I want to point out the different machines involved:

                      • Zombie: Infected PC. Executes only those instructions whose digitally signature matches that of an included self-signed certificate. (RSA signatures are not reversible.) Connects to C&C servers using a technique known as fast-flux proxies.
                      • Command and Control: Middleman server. Accepts connections from zombies and the master. Forwards copies of digitally signed instructions. Fast-flux proxies help hide
        • by h00manist (800926)
          They could spread the "windows" virus and take over all computers in the world and make them reboot all the time! oh they already did that.
    • Going to go check my spam folder now... maybe it's got less crap in it now.

      My spam folder's had much less in it for about a week now. I don't know how much of this was caused by bringing down this one botnet, but it must have had some effect, all of it good.

  • Waledac will be back... as SkyNet.
  • by lbalbalba (526209) on Tuesday March 16, 2010 @03:55PM (#31500524)
    The bloody botnet operator's and malware author's ? Isn't this like fighting the symptoms instead of the cause ?
    • Re: (Score:3, Informative)

      by Volante3192 (953645)

      If it's that easy why haven't you done it?

      Seriously, though, if the controllers are smart, we'll never catch them. Look at the Mariposa botnet. From what I read about that, while law enforcement got the network down, they didn't have any of the people. It took the bold, stubborn move of one of the controllers trying to regain command (from his own system no less) to catch the people behind it. If the operators walked away, what are the odds we'd catch them?

      • by Gordo_1 (256312)

        You give criminals too much credit. The human element is the thing that always seems to get criminals. The fact that they've put all this hard work and effort into building this massive botnet means it's not easy to just walk away at the first sign of potential trouble. It's easy to get sloppy when you've never been caught in months or years of operation and the only thing between you and control of millions of computers is a seemingly innocuous connection to a host.

        • You give criminals too much credit. Ok, so it's a big 'if.' It's akin to gambling. You gotta know when to hold em, know when to fold em, know when to walk away, know when to run.

          And if Waledac is just one network they have, it'd be easier to give up one.

          Anyway, going back to Mariposa, it *did* take bringing down the network to get the people behind it. So to find those in control, perhaps you must first take control.

        • by bloodhawk (813939)
          These are not your average criminals, they are technically savy, well financed underground organisations, they aren't some drugged up retard running into a liquor store to rob it with his mothers tights pulled over his face. Not every criminal is stupid and the possibility of getting caught is enough to keep smart ones from getting sloppy.
    • How about taking down...
      The bloody botnet operator's and malware author's financer? Isn't this like fighting the symptoms instead of the cause ?

      There, fixed that for you.
      No need to thank me.
      But if you got any hot girls... ;)

      • by lbalbalba (526209)
        Yeah, you fixed that for me. Guess that the financers are the real root cause here... Thanks.
  • It's restin'.

    • Pining for the fjords.

      • by Locke2005 (849178)
        E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal coil, run down the curtain and joined the bleedin' choir invisibile!! THIS IS AN EX-BOTNET!!
  • Just like it's maker if he made contracts with the wrong people.

  • Oh, this must be why my spam messages went from over 300 per day, down to just around 20-30 in the past couple weeks. Here I thought Gmail improved their spam filters.
    • It doesn't seem to have affected me - since Microsoft took the domains down around about 25th February, I have spam in my Gmail filter since 19th February and there's no change.

      What is interesting is that having looked at what's in the Gmail spam filter, it does seem I am getting near-enough 15 spam emails every day; I've never realised before how evenly distributed the spam actually is.

  • I'll never bemoan a success in the victory against cybercrime, but it would be nice if one of these announcements came against a botnet that was still relevant and sending out large amounts of spam like Rustock. When the trumpet was sounded by Microsoft about the death of the Storm botnet, it was about 18 months since it had been highly relevant.

    As others have said, shutting down individual botnets doesn't have long-term effects. That lesson was learned when McColo was taken offline.

  • by Jaysyn (203771) <jaysyn+slashdot&gmail,com> on Tuesday March 16, 2010 @04:23PM (#31500846) Homepage Journal

    ... it's pining for the fjords!

    • by guygo (894298)
      It's not pining, it's passed on. This botnet is no more. It has ceased to be. It's expired and gone to meet it's maker. This is a late botnet!
  • Poor Design (Score:4, Informative)

    by phantomcircuit (938963) on Tuesday March 16, 2010 @04:46PM (#31501148) Homepage

    The only reason this worked is that the botnet was poorly designed. It relied on at least one of the command and control servers being available. If they all get taken down at the same time you destroy the botnet. This is not how most other botnets work, this is not a tactic that worked against this specific botnet and will not work against other botnets.

    Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.

    • Chilling effect (Score:4, Interesting)

      by Culture20 (968837) on Tuesday March 16, 2010 @05:24PM (#31501630)

      Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.

      No problem. Individual court orders should do the trick. After seeing 200+ ISPs going through depeering hell, Hosting providers will be a lot more careful who they let have a server. Of course, this is a less than ideal scenario for IT folk in general (especially because it puts the onus on hosting providers to monitor traffic), but it might be effective.

      • by hakr89 (719001)

        Your post advocates a

        (x) technical (x) legislative ( ) market-based ( ) vigilante

        approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

        ( ) Spammers can easily use it to harvest email addresses
        (x) Mailing lists and other legitimate email uses would be affected
        (x) No one will be able to find the guy or collect the mone

  • FROM: MUYIWA IGE

    ATTN.: sir,
    I got your contact through email business directory and decided to send my proposal to you. I am MUYIWA IGE the first son of the late chief BOLA IGE,the attorney general of th e fedeal rebulic of Nigeria who was killed by hired assasin on the 23rd of december 2001 by an unidentified gun men believed to be link to our government of which it is a daily case going on in my country;s dailies now.

    Two months ago he was attempted to be murdered but unfortunately God speared his li
  • The spammers using this botnet most likely cut it off to work on enlarging another.

    Why waste time(read money) repairing something broken when the new, harder to kill version does the same thing in the same time-cost?
  • Sure my spam folder always has shit in it, but really none of it ever makes it through Googles spam filters into my inbox.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Sure my spam folder always has shit in it, but really none of it ever makes it through Googles spam filters into my inbox.

      Spam is still a problem for network operators who have to increase capacity to carry the spam, endpoints that need to buy faster processors to weed out the spam, and users whose filters don't catch all or most spam.

      Then there are the other criminal enterprises and activities that spammers seem to invariably be attached to.

    • by drinkypoo (153816)

      My spam folder has been up over 15,000. Right now it's at 3,524. I get one or two spams per day, although frankly I think google is putting them there deliberately to get them checked off by me, because I'm a good spam classifier.

  • Tell me you took down the Zeus botnet, then I will say you accomplished something, but of course the least dangerous botnet will be easier to take down, even the script kiddies know to cycle their botnets, and out with the old in with the new. So what if the botnet you took down is old and degenerate and has almost no spam left attached to its name, you can still make a name for yourself by taking it down, right?

  • I just checked spamcop stats page, we had a few quiet days but everything is back to normal, thanks for coming.

COBOL is for morons. -- E.W. Dijkstra

Working...