Cracking Down on Botnets
Posted by Tim Cranton
Associate General Counsel
Botnets - networks of compromised computers controlled by hackers known as “bot-herders” - have become a serious problem in cyberspace. Their proliferation has led some to worry that the botnet problem is unsolvable. Under the control of a hacker or group of hackers, botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of new forms of malicious software.
At Microsoft, we don’t accept the idea that botnets are a fact of life. We are a founding member of the Botnet Task Force, a public-private partnership to join industry and government in the fight against bots. Given the recent spread of botnets, we are getting even more creative and aggressive in the fight against botnets and all forms of cybercrime. That’s why I’m proud to announce that through legal action and technical cooperation with industry partners, we have executed a major botnet takedown of Waledac, a large and well-known “spambot.” The Wall Street Journal has a story on the case today (subscription required).
The concept of a botnet can be difficult to grasp. The infographic below explains how these nefarious programs work by hijacking thousands of computers, usually without their owners’ knowledge.
Botnet Infographic - Click to Enlarge
The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy. One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million attempted spam email connections attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.
On February 22, in response to a complaint filed by Microsoft (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.
This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.
A map of Waledac infections around the world in a recent 18 day period
Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.
To help make sure you are not infected by this or other botnets, our advice is to follow the “protect your PC” guidance available athttps://www.microsoft.com/protect.
People running Windows machines also should visithttps://www.microsoft.com/security/malwareremove/default.aspx, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac. We also recommend that Windows users install and maintain up-to-date anti-virus and anti-spyware programs such as Microsoft Security Essentials and turn on auto updates and firewalls. For our part, we will continue to work with both our industry partners and government leaders to explore possibilities for reaching out to the owners of compromised computers to advise them of the infection and remove malicious code from their machines.
This legal and industry operation against Waledac is the first of its kind, but it won’t be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn and others, we’re building on other important work across the global security community to combat botnets. Stay tuned.
Comments
Anonymous
July 12, 2010
The comment has been removedAnonymous
July 12, 2010
Instant cure to botnets, wipe your hard drive and install a GNU/Linux distro until M$ fix the inherent insecurity of WindowsAnonymous
July 12, 2010
Close the barn door after the horse has bolted??Anonymous
July 12, 2010
The comment has been removedAnonymous
July 12, 2010
I have a question. I am very glad that action is being taken against botnets, and welcome it. But on what basis is Microsoft suing the botnet operators? Do they have standing? I was under the impression the victims of the botnets are the people whose computers are hacked, and therefore it should be these people or the government going after the botnet operators, rather than MS?Anonymous
July 12, 2010
The comment has been removedAnonymous
July 12, 2010
suezz: Worked at Sun Micro for ten years. If you think Unix and it's derivatives don't have viruses, bots, root kits, and other problems you are both very fortunate and not looking very hard. Check Cert anytime for Unix failings.Anonymous
July 12, 2010
Frank, read the complaint. They, good lawyers that they are, plainly lay out the justification for their claim of sufficient standing in that document. Also included, among other documentation, is a map of affected hosts specificially located within the Eastern District of Virginia in order to bolster filing their claim in that jurisdiction. And MS certainly does business in that district. You'd think the judge is experienced enough in such matters to be able to discern whether their claims are suffiently weighty to accept, so they're likely valid. Claims that they don't have standing or that this court does not have jurisdiction are things that could be appealed, I suppose, but I'd sure be surprised if these John Does came out of the woodwork to file such appeals.Anonymous
July 12, 2010
tc taylor: I never said unix didn't have those items. Linux and Unix is structured in a way where if you did happen to get one the damage is limited. It also a lot harder to write spyware, viruses etc for Unix. It also comes with tools to combat those problems free of charge and thus would make fighting them easier and one of the reasons why it would not be an issue when you dump windows. Installing GNU/Linux would get rid of this problem. I check out Cert all the time and I see most of the problems are Windows or proprietary software like sunos or hpux. Although windows is the worse about fixing problems but that is another discussion. This is a windows problems period end of story. Again installing GNU/Linux would get rid of the problem.Anonymous
July 12, 2010
The comment has been removedAnonymous
July 12, 2010
tc taylor as suezz says its not that there isn't any malware for the *nixes just that windows is inherently and by design less secure. And the old secure because its obsure doesn't wash because more than half all webservers run on lampAnonymous
July 12, 2010
But the way that Microsoft went after them, it only effects domains in the US. Looking at my Barracuda, I have seen no difference in spam volumes over the last month so this really doesn't effect anything. It is more of a nuisance to the bot operators than anything else. The best thing for Microsoft would be to stop all the new eye candy and other useless folderol and go back to the drawing board and re-write windows to make it more secure. With all of their billions of dollars that they have made selling products, you would think they could actually make something that would be secure by now.Anonymous
July 12, 2010
Awesome work guys, good to see that you are taking actions against botnets!Anonymous
July 12, 2010
The comment has been removedAnonymous
July 12, 2010
Guys, you miss the point when you just rant about Windows flaws, how can these absolve spammers and DOS attackers from their wrong doings? I'm not a big fan of MS/Windows myself, but give the devil his due!Anonymous
July 12, 2010
The comment has been removedAnonymous
July 12, 2010
Fast and effective actions. Good work, do keep it up. Botnets and cybercrime are on the rise.Anonymous
July 12, 2010
HiHello, I am new here. So if I mistake your meaning, please tell me.Anonymous
July 12, 2010
Simply avoid the offered downloads if the planed use of the installed needs are working for the purpouse or duty. Well I will click "Remember me?", you are than taking controll of somthing, but who else...Automaticly clean up any traces of the work, after cloasin..What than with type and read... etc etc...To build cloased chains, easier and faster controlled and cleaned?Anonymous
July 12, 2010
My cousin recommended this blog and she was totally right keep up the fantastic work!Anonymous
July 12, 2010
I have had four different Microsoft technicians trying to no avail, and I am at my wit's end.Anonymous
July 12, 2010
Drew, As usual, your post sets me to thinking... I really think the senior concierge industry, if that's even a correct descriptor, could be huge.Anonymous
June 23, 2012
Microsoft Needs to go after these guys... From: www.scribd.com/.../97504724-Kelly http://pastebay.net/1062756Anonymous
November 20, 2012
Botnets were on T.V. not that long ago sugisting "tell leep a thee" might be a fact, it is not a fact or a matter, Truth should not have to be, why do all ahve to be put on front street by the tag teammof Bill Clinton And Hill ore Re: do it get more money Billy come on du.