Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:54 PM
Connect Directly

Microsoft, Researchers Team Up And Tear Down Major Spamming Botnet

Unprecedented court order helped dismantle Waledac, the second-gen iteration of the Storm botnet; here's how the undercover operation went down

Waledac -- the spamming botnet formerly known as Storm -- was downed yesterday in a sneak attack by a team from Microsoft, Shadowserver, the University of Washington, Symantec, and a group of researchers from Germany and Austria who had first infiltrated the botnet last year.

In an unprecedented move, Microsoft secured a federal court order that, in effect, required VeriSign to cut off 277 Internet .com domains that were serving as the connections between Waledac's command and control (C&C) servers and around 60,000 to 80,000 bots or infected machines it had recruited to spew its spam. Waledac is best-known for its online pharmacy, phony products, jobs, and penny stock spam scams, and has the capacity to send more than 1.5 billion spam email messages per day.

The so-called "Operation b49" effort basically turned the tables on the Waledac botnet operators by systematically hijacking the communications between the botnet and its infected bots. Once Microsoft had the court order in hand from the U.S. District Court of Eastern Virginia in response to its legal complaint, researchers from the University of Mannheim in Germany and the Technical University of Vienna launched a massive attack on the botnet's hybrid peer-to-peer/HTTP communications infrastructure, according to one of the researchers who handled that part of the operation, but declined to be named publicly.

"We were told to push the red button, so to speak, and we started an attack on the P2P network as VeriSign was removing the domains," the researcher said in an interview. The operation was facilitated by the German and Austrian team's existing foothold in Waledac -- last year, the group successfully infiltrated Waledac and was able to leverage their continued undercover presence in the botnet.

They placed fake nodes into the botnet that posed as Waledac "repeaters" -- the second-tier servers that communicate directly with the bots and site between the infected bots and the back-end C&C servers, and redirected the infected machines to safe IP addresses or sinkholes. Within six hours, 90 percent of the botnet had been shut down. Now it's a matter of catching those bots that hadn't phoned home during the initial wave of the attack and alerting ISPs of infected IP addresses in their domains so they, in turn, can alert customers whose machines were part of Waledac.

"Once the bots have connected to our infrastructure, they can't connect [back to Waledac again]," the researcher says. "We have 90 percent of the botnet taken down."

The takedown operation's success actually surprised the researchers. "We didn't expect it would work so well and we would be able to take over so many of the bots," says a researcher with the Technical University of Vienna, who worked on the takedown and also asked not to be named. "But this had worked in similar attacks ... and we had experience with P2P."

The method was similar to what researchers did last year when they infiltrated Waledac. "If I make a bot believe I am a valid repeater, and I answer it the way it expects, [it works]," the Mannheim researcher says.

They found 25 different IP addresses for the C&C servers, and estimated six or seven of them were running at one time, most of them hosted in Russia and Germany, with a few in other parts of Europe, as well. Half of the infected machines are in North America, from the U.S., Canada, and Mexico, while others are in Central Europe and other parts of the globe, according to the researchers.

The researchers also believe there is a "mothership" at the highest level of the botnet, which could potentially lead to the actual criminal gang behind Waledac.

Botnet takedowns, to date, have been rare and tricky, often performed by one group who was able to convince a domain operator to cut its ties with the offending botnet operators. Most ISPs and domain registrars are hesitant for legal reasons to cut off service to any customer. What makes the Waledac dismantling so significant is its successful use of a legal weapon -- now setting a precedent for future such botnet takedowns.

In a blog post announcing the Waledac takedown today, Microsoft associate general counsel Tim Cranton says Operation b49 was the culmination of months of investigation; the legal action was granted on Monday, Feb. 22. "Our goal is to make that disruption permanent," he blogged. "This legal and industry operation against Waledac is the first of its kind, but it won't be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec and others, we're building on other important work across the global security community to combat botnets. Stay tuned."

VeriSign had no comment on the Waledac operation. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.