Microsoft, Researchers Team Up And Tear Down Major Spamming Botnet

Unprecedented court order helped dismantle Waledac, the second-gen iteration of the Storm botnet; here's how the undercover operation went down
Andre DiMino, director of Shadowserver, says the legal action helped ensure VeriSign was legally covered in the takedown. "VeriSign wants to be sure they are covering all of their bases," DiMino says. "This is pretty groundbreaking ... To take down a botnet at the domain level is really providing a precedent that allows the security industry to disable or disrupt a more significant botnet. This puts the bad, the registries, ICANN, the security community, and all the good guys on notice that this is not a losing battle and something can be done to effect change."

It's unclear whether the takedown got investigators any closer to the criminal gang behind Waledac. Researchers are studying the botnet's internals closely for any clues and paths to the people behind the botnet. "Sometimes when dealing with organized cybercriminal entities or nation-states, the hardest thing is identifying the source," says Rich Baich, leader of the Cyber Threat Intelligence Group at Deloitte. "It takes a significant amount of time" he says, to break through all of the layers cybercriminals place between themselves and the victims.

Meanwhile, there's still some cleanup to do: Remnants of Waledac are still being wiped out, and the former Waledac bots are still infected with the bot's malware. Microsoft recommends customers check out its Protect Your PC guidelines and run its Malicious Software Removal Tool to scan for and clean up any Waledac infections.

Shadowserver is beginning to notify network owners about the bot-infected machines on their networks, DiMino says.

The team who took down Waledac expects the gang will try to reinvent itself yet again, as it did from Storm to Waledac. "This botnet is pretty much done," says the researcher at University of Mannheim. "In my opinion, they are now back to coding and developing a new form of the botnet."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.