Sign in
Microsoft Malware Protection Center
Threat Research & Response Blog
Home
About
View More Blogs
Ecosystem Strategy Blog
Microsoft Accessibility Blog
Microsoft BlueHat Blog
Microsoft Malware Protection Center Blog
Microsoft Security Blog
Microsoft Security Response Center Blog
Security Development Lifecycle Blog
Security Research & Defense Blog
Security Tips & Talk Blog
Trustworthy Computing Blog
Resources
Partner
Microsoft Safety Scanner
Microsoft Security Response Center
Microsoft Security Essentials
Microsoft Forefront
Windows Defender
Microsoft AntiSpam
MMPC
Microsoft Malware Protection Center
Microsoft Security Intelligence Report
TechNet Blogs
>
Microsoft Malware Protection Center
>
Dismantling Waledac
Share Article
Follow Us
RSS for Posts
@msftmmpc
facebook
Security@Microsoft
Security Newsletter
TwC Blogs Windows Phone Application
Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Twitter @msftmmpc
Dismantling Waledac
Dismantling Waledac
mmpc2
25 Feb 2010 11:05 AM
Comments
0
Today, you may have read in the Wall Street Journal about an operation Microsoft has been conducting against the
Win32/Waledac
botnet. If you haven’t already seen the article, you can find additional information in the
Microsoft on the Issues
blog. In summary, the Microsoft Digital Crimes Unit with support from the Microsoft Malware Protection Center has taken legal and technical steps in an attempt to disable the command and control infrastructure of Waledac in order to prevent the criminals responsible from issuing new instructions. Win32/Waledac is used, primarily, to send spam. It also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks, proxy network traffic and steal passwords. The impact posed by such an infection is, as a result, quite broad.
The method used for this takedown activity is rather novel and involves both legal and technical aspects. On Monday, Microsoft filed a complaint in the U.S. Eastern Court of Virginia and the court granted a temporary restraining order against 277 domains believed to be associated with Waledac and under the control of the criminals responsible. With this TRO we have been able to suspend these domains from the Internet and, as a byproduct of this suspension, impact the ability for the criminal operators of the botnet to issue new commands or updates. Additional technical measures are being employed to further reduce peer to peer communications and we are working with the security community to mitigate and respond to this botnet.
While the disruption of the command and control of Waledac is a positive thing, this does not- by itself- address the tens of thousands of computers which are still infected with the threat which are estimated to have been responsible for as many as 1.5 billion spam messages per day. As we have previously reported in our most recent
Security Intelligence Report
covering the second half of 2009, Microsoft technologies such as the Malicious
Software Removal Tool
and
Microsoft Security Essentials
were used to remove more than 96,000 instances of this threat- making it the 11th most prevalent during that period. As we have in the past we encourage our customers to run an up to date anti-virus program from a trusted source and to stay up to date with security updates from Microsoft using Automatic Update as well as staying up to date on third party software. If you are not already running up to date anti-virus, we would ask that you do this now to assist in containing this- and other- threats.
We’re not done. Stay tuned.
-- Jeff Williams