Welcome Guest. | Log In | Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Microsoft, Researchers Team Up And Tear Down Major Spamming Botnet

Unprecedented court order helped dismantle Waledac, the second-gen iteration of the Storm botnet; here's how the undercover operation went down

Feb 25, 2010 | 02:54 PM | 

By Kelly Jackson Higgins

Waledac -- the spamming botnet formerly known as Storm -- was downed yesterday in a sneak attack by a team from Microsoft, Shadowserver, the University of Washington, Symantec, and a group of researchers from Germany and Austria who had first infiltrated the botnet last year.

In an unprecedented move, Microsoft secured a federal court order that, in effect, required VeriSign to cut off 277 Internet .com domains that were serving as the connections between Waledac's command and control (C&C) servers and around 60,000 to 80,000 bots or infected machines it had recruited to spew its spam. Waledac is best-known for its online pharmacy, phony products, jobs, and penny stock spam scams, and has the capacity to send more than 1.5 billion spam email messages per day.

The so-called "Operation b49" effort basically turned the tables on the Waledac botnet operators by systematically hijacking the communications between the botnet and its infected bots. Once Microsoft had the court order in hand from the U.S. District Court of Eastern Virginia in response to its legal complaint, researchers from the University of Mannheim in Germany and the Technical University of Vienna launched a massive attack on the botnet's hybrid peer-to-peer/HTTP communications infrastructure, according to one of the researchers who handled that part of the operation, but declined to be named publicly.

"We were told to push the red button, so to speak, and we started an attack on the P2P network as VeriSign was removing the domains," the researcher said in an interview. The operation was facilitated by the German and Austrian team's existing foothold in Waledac -- last year, the group successfully infiltrated Waledac and was able to leverage their continued undercover presence in the botnet.

They placed fake nodes into the botnet that posed as Waledac "repeaters" -- the second-tier servers that communicate directly with the bots and site between the infected bots and the back-end C&C servers, and redirected the infected machines to safe IP addresses or sinkholes. Within six hours, 90 percent of the botnet had been shut down. Now it's a matter of catching those bots that hadn't phoned home during the initial wave of the attack and alerting ISPs of infected IP addresses in their domains so they, in turn, can alert customers whose machines were part of Waledac.

"Once the bots have connected to our infrastructure, they can't connect [back to Waledac again]," the researcher says. "We have 90 percent of the botnet taken down."

The takedown operation's success actually surprised the researchers. "We didn't expect it would work so well and we would be able to take over so many of the bots," says a researcher with the Technical University of Vienna, who worked on the takedown and also asked not to be named. "But this had worked in similar attacks ... and we had experience with P2P."

The method was similar to what researchers did last year when they infiltrated Waledac. "If I make a bot believe I am a valid repeater, and I answer it the way it expects, [it works]," the Mannheim researcher says.

They found 25 different IP addresses for the C&C servers, and estimated six or seven of them were running at one time, most of them hosted in Russia and Germany, with a few in other parts of Europe, as well. Half of the infected machines are in North America, from the U.S., Canada, and Mexico, while others are in Central Europe and other parts of the globe, according to the researchers.

The researchers also believe there is a "mothership" at the highest level of the botnet, which could potentially lead to the actual criminal gang behind Waledac.

Botnet takedowns, to date, have been rare and tricky, often performed by one group who was able to convince a domain operator to cut its ties with the offending botnet operators. Most ISPs and domain registrars are hesitant for legal reasons to cut off service to any customer. What makes the Waledac dismantling so significant is its successful use of a legal weapon -- now setting a precedent for future such botnet takedowns.

In a blog post announcing the Waledac takedown today, Microsoft associate general counsel Tim Cranton says Operation b49 was the culmination of months of investigation; the legal action was granted on Monday, Feb. 22. "Our goal is to make that disruption permanent," he blogged. "This legal and industry operation against Waledac is the first of its kind, but it won't be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec and others, we're building on other important work across the global security community to combat botnets. Stay tuned."

VeriSign had no comment on the Waledac operation.

1 |  2 |  Next Page » 



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Insider Threat Reports

report How to Prevent an Illicit Data Dump
There are no silver bullets when it comes to protecting company and customer data from loss or theft, but there are technological and procedural systems that will go a long way toward preventing a WikiLeaks-like data dump. Here are some tips and tricks to help protect your organization's most sensitive information.

report Email and Data Loss
Email encryption, rights management, email gateways, and full-on data loss prevention systems can keep corporate data secure. Here's a look at the pros and cons of each, to help you determine what?s best for your business.

report An Insider Threat Reality check
Heightened concern that users could inadvertently expose or leak -- or purposely steal -- an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. In this special retrospective of recent news coverage, Dark Reading takes a look at how organizations are handling the threat -- and what users are really up to.

Other reports from the Insider Threat Tech Center:

Related Content

How Encrypting Content Reduces Liabilities and Costs
Data is everywhere, and most of it is not encrypted. Companies need to protect their data to avoid loss of corporate reputation, expensive remediation efforts, loss of goodwill among customers, loss of revenue and other unpleasant results. Learn how encrypting data in transit and at rest can help.

What Every Business Should Know About Cloud Computing and e-Discovery
Get guidance on how to deploy e-discovery applications and craft service-level agreements with your cloud service provider, so your company's cloud computing initiatives don't undermine your investments in e-discovery. Use these guidelines to evaluate cloud service providers and to define your SLAs.

Spam in 2011: Protection Against Evolving Threats
The very best anti-spam solutions deliver 95% effectiveness. Unfortunately, that's not good enough. To defeat spam, enterprises need a holistic approach. Learn about evolving spam threats and the technology required to close the 5% gap in defenses.

HIPAA Update: Keeping Compliant With The Latest Healthcare Email Security Regulations
The Stimulus bill put new teeth into HIPAA, and overall scrutiny is increasing. Get a brief overview of what you need to know about the latest security and data breach regulations for the healthcare industry. Learn what to look for in a secure email solution for complying with the web of regulations.

What Are Your Obligations To Retain Email And Other Electronic Content?
Retaining email and electronic content is necessary to satisfy litigation and regulatory compliance requirements as well as to meet the growing demand for business knowledge mined by employees. Learn about your obligations in this Osterman Research.