Waledac Botnet Now Completely Offline, Experts Say 91
Trailrunner7 writes "After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero. One researcher said that Waledac now seems to be abandoned. 'It looks crippled, if not dead,' said Jose Nazario, a senior security researcher at Arbor Networks."
When the stars are once again right... (Score:5, Funny)
And with strange aeons even death may die.
Re:When the stars are once again right... (Score:5, Funny)
If spam was about Cthulhu, I probably wouldn't mind it so much. If spam *is* Cthulhu, well, I'm avoiding the Hormel section at the grocery store from now on.
Re:When the stars are once again right... (Score:5, Funny)
Might want to stay away from the spam...
Re: (Score:2)
So how much sanity do spam filters have and what happens when it runs out?
Re:When the stars are once again right... (Score:5, Funny)
Re: (Score:2)
If spam *is* Cthulhu, well, I'm avoiding the Hormel section at the grocery store from now on.
The Cthulhu, ham, eggs, and Cthulhu hasn't got much Cthulhu in it.
tell microsoft to *stop* fixing bugs (Score:2)
Bu$ine$$ Opportunity (Score:1)
My name is John Waledac. I am the designer and owner of a profitable spam company. Recently, my company has fallen upon hard times as several of our servers have broken down. We have the funds to replace these servers, but it will take several weeks to transfer the funds from our bank in Nigeria. This delay could cost our company thousands of dollars. This is where you come in. I am seeking investors to loan up to $100,000 for the purchase of new servers. When the funds from Nig
Re: (Score:2, Interesting)
While the parent is intended as a joke, the idea that quality software will put people out of work is quite widespread among people in IT. Which is quite a sad state of affairs as it is such an obvious case of a broken window fallacy. [wikipedia.org] Rather then spending resources on fixing up damage, it is much more production to direct it on creation of new things or modifying existing to better meet the demand.
Is the source of this attitude the built in obsolescence idea from manufacturers? Do developers really think th
Re: (Score:1)
Still however useless (Score:5, Insightful)
I think everyone knew the answer was, no it will not have an effect on spam levels or malware infections. Oh it succeeded in taking the botnet offline, MS did something real here, but taking just one offline doesn't mean much.
Re:Still however useless (Score:4, Interesting)
Useless in what way? Sure, on a global scale spam is still rampant, but they did show the tactic used has promise and worth pursuing.
True, we can't say for certain whether the tactic actually cut the head from the body or if operations were just moved to a new botnet and the original Waledac CENTCOM let MS think they had their victory but it's something, which is a little bit more than we had prior.
Re:Still however useless (Score:4, Insightful)
Sadly true. Waledac might have been a "mature and no longer really expanding" botnet. Botnets do have a certain shelf-life before they start to die through attrition; either the maker comes up with a new propagation method (virus/etc), or it hits a point and stops really expanding, followed by the slow inevitable decline as machines die, or get reformatted, or get overwritten by a newer botnet. There have been botnets that targeted other botnets for invasion/absorption quite a few times.
If this can help catch and destroy botnets earlier on, it might be more effective.
The better goal should, of course, be to make systems (and users) more spam-proof. User education would be a good start, as would home ISP's putting everyone's computers behind a proper NAT rather than using cable modems that expose the user to the naked wild. I've seen more home users who "just put up with" what would seem to be obvious virus/problem behavior merely because they were terrified of having to back up their data or reformat...
Re: (Score:1, Informative)
putting everyone's computers behind a proper firewall
Fixed that for you.
Re: (Score:2)
Really. People need to learn that 'stateful firewall' and 'NAT' are two completely different things. Especially with ipv6 hopefully being deployed enmass sometime this century.
Re: (Score:2)
AFAIK NAT is as much protection as the average home user needs-- they wont know how to get a more serious firewall working properly (ever try to show a user how to configure one of those software firewalls to allow their favorite app?), and viruses will find a way around software firewalls anyways (ie, bypassing them with kernel level
Re: (Score:2)
NAT merely creates a situation where the packets run into a dead end if not explicitly told to go someplace. SPI is the opposite, where a dead end is created explicitly for a packet that would normally be forwarded.
NAT in all but niche cases serves no purpose with IPV6. A firewall set to filter all inbound packets would serve the same purpose as NAT does tod
Re: (Score:2)
Re:Still however useless (Score:5, Insightful)
This was a lot larger than taking down a rogue host. This is 1,500,000,000 fewer spams per day on the net.
Cut out two billion spams here and there and pretty soon you're talking about real effectiveness.
Sure, they could probably do more, but every journey begins with a single step. Shut down the easy ones first. Pick the low-hanging fruit. Then go back and take down another, and another. At this point it could be all they could get done in a short amount of time, and in any case it's still a good start.
Re: (Score:2)
Re: (Score:2, Insightful)
Except the malware writers are not mythical creatures, they have real world considerations.
So improving security practices and doing the work to eliminate existing bots can actually make a difference.
Re:Still however useless (Score:5, Insightful)
As long as the source of the spam/malware problem isn't held accountable, nothing much will change.
The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business, their CEO's thrown in jail ASAP (through whatever -legal- means), and profits confiscated to support the anti-spam operation.
Focussing on botnets is a good thing, but IMHO useless. Focussing on the folks running them is better, but the next botnet-operator-wannabee will step right in. Instead, efforts should focus on the businesses paying these fuckers.
Re: (Score:3, Insightful)
The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business ...
The majority of spam today does not conform to this model. A 419 scam [wikipedia.org] leads to Nigeria, where anti-spam laws do not apply. Stock spam [wikipedia.org] promotes a company, but the company being promoted is neither responsible for the spam nor profits from it. Even for the small minority of spam that does directly promote a company product, your proposal accomplishes nothing other than to open up a new way for enemies of a company to anonymously destroy said company: namely, simply send out forged spam to promote the company'
Re: (Score:2)
Sure, spam has changed since then, and a lot of the websites that are offered via spam disappear very quickly, but a solution that harnesses the collective power of users to effectively perform a legal DDoS on networks originating spam seems like a very po
Re: (Score:2, Interesting)
Re:Still however useless (Score:5, Interesting)
There aren't that many botnets out there. I think most reputable observers peg it at around 6 or 7 big ones, from a spam perspective anyway. So taking one down is actually pretty awesome. Remember when McColo disappeared and spam levels dropped massively overnight? It wasn't that McColo itself pumped out spam, it was that the botnet C&C servers lived there.
As somebody who actually has to deal with the impacts of large botnets as part of my job at Google, I'd like to congratulate and thank the guys at Microsoft for this victory. Whether it has a noticeable impact on spam or not, it sends a powerful message to people thinking of making their own botnet - it can all end suddenly.
Building and maintaining a botnet is already pretty hard work .... between AV firms, Microsofts MSRT, users noticing problems and wiping the OS, removals by rival botnets and generally improving PC security botnet building has gone from something every man and his dog was doing to something very few can do well. Hardly any botnets become big. Most abuse I deal with comes in via bots that are apparently being shared or rented out to different (sometimes competing) spammers. That's an encouraging sign.
Re: (Score:1)
So what is your solution to combating global spam problem?
Do you propose that security researchers go after thousands upon thousands of infected hosts? How would you clean them out when then are located in another jurisdiction? I hope you realize that they can't just DoS it down as it could be doing some vital tasks (For example if a machine in a hospital is infected).
And the problem can't be fixed with educating the user, because they don't care and don't want to care. See dancing pigs problem. [wikipedia.org] It really d
Re: (Score:2)
The "infected hospital PC" problem is one we've talked about before. It's worth going over again so people understand why sending a cleanup message is not the best idea.
The scenario is that a good Samaritan wants to send a "clean-out-the-infection" message through the botnet to all infected hosts, and a lifesaving machine in a hospital is infected. Some preliminary assumptions to make are that the good Samaritan has no way of contacting the machine's owner to determine if it's a mission critical or lifesa
Re: (Score:1)
Hardly any botnets become big.
They don't have to become big once they reach their target. Too big attracts unwanted attention.. Expect more focus and a more "subtle" approach.
In other words... (Score:2)
Re:Its dead Jim. (Score:1)
I think it was "Zed's dead, Baby, Zed's dead"
Re: (Score:1, Offtopic)
snikulin (889460) said: I think it was "Zed's dead, Baby, Zed's dead"
You guys should swap UIDs.
MS is more clever? (Score:1)
I'm finding it hard to believe that MS brought down the behemoth by secretly bringing down those domain names.
On the other hand, maybe the little miscreants that created this botnet actually made the assumption that the domains couldn't be suspended. That still brings up the question, how long can this court-ordered suspension really last? Indefinitely is not a definite answer.
Going to go check my spam folder now... maybe it's got less crap in it now.
Re: (Score:1)
A court order to remove domain name registrations could certainly be permanent. Even if it was a theoretically legitimate action (not the case here) since you have to re-register every year anyways, it's effectively a $5 loss to lose a domain permanently.
Re: (Score:3, Interesting)
What MS should do is to re-register the domain names and point them to a C&C server they host. Then they have a wild botnet in a cage to be researched until they can find the best way to eradicate the thing, and others like it.
Or else command it to DDOS their foes. MWAHAHAHA!
Re: (Score:3, Funny)
What MS should do is to re-register the domain names and point them to a C&C server they host
What kind of C&C server? Red alert? Tiberium wars? I prefer a Generals C&C server myself...
Re:MS is more clever? (Score:4, Funny)
Duh, C&C 4 [wikipedia.org] came out today, he's obviously talking about that.
Re: (Score:2, Informative)
While I'm unsure of the specifics of this particular botnet, most of the big current botnets cryptographically sign commands, and ignore any that don't validate. Which means that unless there's a flaw in whatever encryption they used, there's nothing that approach would do other than waste money on domain name registration.
Re: (Score:2)
That's why I said "research". When you take possession of a house after foreclosure or seizure, sometimes you have to take some time to pick the locks.
The bots will contact their C&C servers. Find one a bot that you can get client-side access to. Study the malware from both ends. Reverse-engineer the crypto.
At a minimum, there's a list of bot clients you can work thru to de-fang and clean up.
Re: (Score:2)
Modern day crypto is not your grandfathers cesarean cipher. One does not simply "reverse engineer RSA [wikipedia.org]" which is undoubtably what they are using if they are smart.
Strike that, "which is undoubtably what they are using if they possess the knowledge of your average freshman CS major". It's not exotic stuff.
Re: (Score:2)
Again, you have access to both endpoints. For instance, you have a credible chance at cracking it if you can monitor cleartext in the process space of the client system.
Or, you know, maybe not, since teh evil h@x0rs are so 1334. Maybe we should all just surrender now and put in our recurring purchase order for herbal v1@gra or whatever.
Feh. Botnet takeover is a historical fact. It may be an arms race, but there will always be a defender response. And don't forget the classic anti-DRM mantra: in some place,
Re: (Score:2)
By endpoint, I assume the GP poster means not the C and C servers, but the bot-herder's personal PC with the private key. The one he uses to sign the commands. That is indeed one place the system is vulnerable. The other is that there may be a security vulnerability in the bot implementation that would permit an unauthorized connection to take over the bot, perhaps via buffer overflow or something. Y'know, the "endpoints."
Yes, if he thought that the C and C servers contain the private key, he's very muc
Re: (Score:2)
I know. I was just being supportive of "idontgo", because he sounded like he was claiming people would "reverse engineer" RSA, which is ridiculous. I'm sure he must have meant something else.
However, there is a potential vulnerability in what he's saying (even if he's saying it wrong.) The vulnerability is in the zombies. The zombies have to phone home to register. How does the C & C server know if it should trust a zombie? Is it susceptible to some kind of protocol exploit (a buffer overrun, a ma
Re: (Score:2)
Oh, nice amount of talking without knowing anything here. I suggest you take a look at Public-key cryptography [wikipedia.org]. There is no way you're going to crack such + RSA by "monitoring cleartext". If you do, and sure let us know when that happens, you're just pwned every single government, bank, company, telecommunications line and Internet in the world.
Re: (Score:2)
The security of any good cryptosystem must rest solely on the secrecy of the key, not the secrecy of the implementation details. This is Cryptography 101 stuff here, you can't just "capture the enemy enigma machine" and call it a day anymore. Read that link I gave you before you make yourself look even more of a fool.
The bots presumably have a copy of the public key and will only listen to commands signed by the private key. Only the original command server has the private key, given the public key you c
Re: (Score:2)
I don't normally respond to arrogant tards, but I'll make an exception in your case.
The plaintext you're looking for is the private key. This is a fully automatic system, so the key has to be stored someplace. If you own both endpoints, you almost certainly own the keystore. If the keystore is protected, the passphrase (or equivalent) to open it is also stored someplace in the clear (or obfuscated, which is reversible).
Got it?
Now, admittedly, if the keystore is on a third server someplace, it becomes harder
Re: (Score:2)
Your terminology is all fucked up because you still have not bothered to research what you are talking about. Keys are keys, plaintext is plaintext, and ciphertext is ciphertext. Do not confuse them.
But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.
Re: (Score:2)
But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.
THUMP. THUMP.
That's my forehead on the desk. You're right, the good guys don't have access to the real C&C server. Therefore, the command signing process can't be spied. Therefore, there's no way to spoof valid signed commands.
I lost track of the "not owning the real server" issue. That's what happens when you fall in love with an idea; love is blind.
So, lacking any wea
Re: (Score:2)
Just because someone pinged me in this thread, I want to point out the different machines involved:
Re: (Score:2)
Re: (Score:2)
My spam folder's had much less in it for about a week now. I don't know how much of this was caused by bringing down this one botnet, but it must have had some effect, all of it good.
Rise of the machines (Score:1)
How about taking down... (Score:3, Insightful)
Re: (Score:3, Informative)
If it's that easy why haven't you done it?
Seriously, though, if the controllers are smart, we'll never catch them. Look at the Mariposa botnet. From what I read about that, while law enforcement got the network down, they didn't have any of the people. It took the bold, stubborn move of one of the controllers trying to regain command (from his own system no less) to catch the people behind it. If the operators walked away, what are the odds we'd catch them?
Re: (Score:2)
You give criminals too much credit. The human element is the thing that always seems to get criminals. The fact that they've put all this hard work and effort into building this massive botnet means it's not easy to just walk away at the first sign of potential trouble. It's easy to get sloppy when you've never been caught in months or years of operation and the only thing between you and control of millions of computers is a seemingly innocuous connection to a host.
Re: (Score:2)
You give criminals too much credit. Ok, so it's a big 'if.' It's akin to gambling. You gotta know when to hold em, know when to fold em, know when to walk away, know when to run.
And if Waledac is just one network they have, it'd be easier to give up one.
Anyway, going back to Mariposa, it *did* take bringing down the network to get the people behind it. So to find those in control, perhaps you must first take control.
Re: (Score:2)
Re: (Score:2)
How about taking down...
The bloody botnet operator's and malware author's financer? Isn't this like fighting the symptoms instead of the cause ?
There, fixed that for you. ;)
No need to thank me.
But if you got any hot girls...
Re: (Score:2)
"... if not dead." (Score:2)
It's restin'.
Re: (Score:2)
Pining for the fjords.
Re: (Score:2)
'It looks crippled, if not dead' (Score:2)
Just like it's maker if he made contracts with the wrong people.
Cool! (Score:1)
Re: (Score:2)
Can a relevant botnet be shut down? (Score:1)
I'll never bemoan a success in the victory against cybercrime, but it would be nice if one of these announcements came against a botnet that was still relevant and sending out large amounts of spam like Rustock. When the trumpet was sounded by Microsoft about the death of the Storm botnet, it was about 18 months since it had been highly relevant.
As others have said, shutting down individual botnets doesn't have long-term effects. That lesson was learned when McColo was taken offline.
It's not dead... (Score:3, Funny)
... it's pining for the fjords!
Re: (Score:1)
Poor Design (Score:4, Informative)
The only reason this worked is that the botnet was poorly designed. It relied on at least one of the command and control servers being available. If they all get taken down at the same time you destroy the botnet. This is not how most other botnets work, this is not a tactic that worked against this specific botnet and will not work against other botnets.
Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.
Chilling effect (Score:4, Interesting)
Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.
No problem. Individual court orders should do the trick. After seeing 200+ ISPs going through depeering hell, Hosting providers will be a lot more careful who they let have a server. Of course, this is a less than ideal scenario for IT folk in general (especially because it puts the onus on hosting providers to monitor traffic), but it might be effective.
Re: (Score:2)
Your post advocates a
(x) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the mone
I am Muyiwa Ige, son of the late chief Bola Ige (Score:2, Funny)
ATTN.: sir,
I got your contact through email business directory and decided to send my proposal to you. I am MUYIWA IGE the first son of the late chief BOLA IGE,the attorney general of th e fedeal rebulic of Nigeria who was killed by hired assasin on the 23rd of december 2001 by an unidentified gun men believed to be link to our government of which it is a daily case going on in my country;s dailies now.
Two months ago he was attempted to be murdered but unfortunately God speared his li
Cast away that which is useless. (Score:1)
Why waste time(read money) repairing something broken when the new, harder to kill version does the same thing in the same time-cost?
Is spam really still a problem? (Score:2)
Sure my spam folder always has shit in it, but really none of it ever makes it through Googles spam filters into my inbox.
Re: (Score:2, Insightful)
Spam is still a problem for network operators who have to increase capacity to carry the spam, endpoints that need to buy faster processors to weed out the spam, and users whose filters don't catch all or most spam.
Then there are the other criminal enterprises and activities that spammers seem to invariably be attached to.
Re: (Score:1)
My spam folder has been up over 15,000. Right now it's at 3,524. I get one or two spams per day, although frankly I think google is putting them there deliberately to get them checked off by me, because I'm a good spam classifier.
SO what.... (Score:1)
Tell me you took down the Zeus botnet, then I will say you accomplished something, but of course the least dangerous botnet will be easier to take down, even the script kiddies know to cycle their botnets, and out with the old in with the new. So what if the botnet you took down is old and degenerate and has almost no spam left attached to its name, you can still make a name for yourself by taking it down, right?
Just checked Spamcop (Score:1)