News Insider Threat
Microsoft, Researchers Team Up And Tear Down Major Spamming Botnet
Unprecedented court order helped dismantle Waledac, the second-gen iteration of the Storm botnet; here's how the undercover operation went down
Waledac -- the spamming botnet formerly known as Storm -- was downed yesterday in a sneak attack by a team from Microsoft, Shadowserver, the University of Washington, Symantec, and a group of researchers from Germany and Austria who had first infiltrated the botnet last year.
In an unprecedented move, Microsoft secured a federal court order that, in effect, required VeriSign to cut off 277 Internet .com domains that were serving as the connections between Waledac's command and control (C&C) servers and around 60,000 to 80,000 bots or infected machines it had recruited to spew its spam. Waledac is best-known for its online pharmacy, phony products, jobs, and penny stock spam scams, and has the capacity to send more than 1.5 billion spam email messages per day.
More Security Insights
- A Smarter Approach: Inside IBM Business Analytics Solutions for Mid-Size Businesses
- Collective intelligence: Capitalizing on the crowd
- Informed CIO: SDN and Server Virtualization on a Collision Course
- Strategy: Building and Maintaining Database Access Control Permissions
- Mobile DevOps: Achieving continuous delivery with multiple front ends and complex backends in Banking, Financial Services, and Insurance
- How Cloud Facilitates an Agile Contact Center
The so-called "Operation b49" effort basically turned the tables on the Waledac botnet operators by systematically hijacking the communications between the botnet and its infected bots. Once Microsoft had the court order in hand from the U.S. District Court of Eastern Virginia in response to its legal complaint, researchers from the University of Mannheim in Germany and the Technical University of Vienna launched a massive attack on the botnet's hybrid peer-to-peer/HTTP communications infrastructure, according to one of the researchers who handled that part of the operation, but declined to be named publicly.
"We were told to push the red button, so to speak, and we started an attack on the P2P network as VeriSign was removing the domains," the researcher said in an interview. The operation was facilitated by the German and Austrian team's existing foothold in Waledac -- last year, the group successfully infiltrated Waledac and was able to leverage their continued undercover presence in the botnet.
They placed fake nodes into the botnet that posed as Waledac "repeaters" -- the second-tier servers that communicate directly with the bots and site between the infected bots and the back-end C&C servers, and redirected the infected machines to safe IP addresses or sinkholes. Within six hours, 90 percent of the botnet had been shut down. Now it's a matter of catching those bots that hadn't phoned home during the initial wave of the attack and alerting ISPs of infected IP addresses in their domains so they, in turn, can alert customers whose machines were part of Waledac.
"Once the bots have connected to our infrastructure, they can't connect [back to Waledac again]," the researcher says. "We have 90 percent of the botnet taken down."
The takedown operation's success actually surprised the researchers. "We didn't expect it would work so well and we would be able to take over so many of the bots," says a researcher with the Technical University of Vienna, who worked on the takedown and also asked not to be named. "But this had worked in similar attacks ... and we had experience with P2P."
The method was similar to what researchers did last year when they infiltrated Waledac. "If I make a bot believe I am a valid repeater, and I answer it the way it expects, [it works]," the Mannheim researcher says.
They found 25 different IP addresses for the C&C servers, and estimated six or seven of them were running at one time, most of them hosted in Russia and Germany, with a few in other parts of Europe, as well. Half of the infected machines are in North America, from the U.S., Canada, and Mexico, while others are in Central Europe and other parts of the globe, according to the researchers.
The researchers also believe there is a "mothership" at the highest level of the botnet, which could potentially lead to the actual criminal gang behind Waledac.
Botnet takedowns, to date, have been rare and tricky, often performed by one group who was able to convince a domain operator to cut its ties with the offending botnet operators. Most ISPs and domain registrars are hesitant for legal reasons to cut off service to any customer. What makes the Waledac dismantling so significant is its successful use of a legal weapon -- now setting a precedent for future such botnet takedowns.
In a blog post announcing the Waledac takedown today, Microsoft associate general counsel Tim Cranton says Operation b49 was the culmination of months of investigation; the legal action was granted on Monday, Feb. 22. "Our goal is to make that disruption permanent," he blogged. "This legal and industry operation against Waledac is the first of its kind, but it won't be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec and others, we're building on other important work across the global security community to combat botnets. Stay tuned."
VeriSign had no comment on the Waledac operation.