By now you have likely seen multiple reports of Operation b49 which has targeted the Win32/Waledac botnet’s command and control infrastructure. As I mentioned in my last blog there is still more work that needs to be done in terms of cleaning up infected systems. Of course, Win32/Waledac is not the only botnet; even though we have taken positive steps in an attempt to neutralize this family of malicious software, there is still a need for additional action and cross-industry cooperation to combat these threats to Internet safety.
It is interesting to observe the distribution of Waledac when considering the risk it may represent to your organization as it differs significantly from previous heat maps that show the infection rates of all threats combined.  There is a significantly higher degree of infection in the US and Europe as well as moderately high infection rates in Australia, Brazil, and Canada than we see in China, Japan and other parts of the Pacific Rim.

The scale shown in the heat map above is relative to itself and should not be taken to connote one country is “safer” than another since we are only displaying data about Win32/Waledac and not all threats. The scale in the bottom left corner ranges in infection rate from less than one computer per 100,000 to 26 computers per 100,000. These figures are well below the computers cleaned per thousand (CCM) metric for every country we discuss in the Security Intelligence Report (we are cleaning on the order of tens of millions of infected computers in a given year).  In the period from January 2009 through the end of February 2010 we have removed this threat from 182,340 computers some of which were infected at more than one time or with more than one version of the threat.



Computers Cleaned




Since Win32/Waledac is distributed through email generally with a lure based on a current holiday or other topical news item, a varied distribution is expected.
It is also important to note that the number of computers infected is not the only aspect of the impact a threat can have. This threat has also been responsible for significant levels of spam.  Estimates show the capacity of spam Waledac could deliver to be 1.5 billion messages per day; more than 651 million attempted connection attempts were made to Hotmail between December 3 and December 21, 2009 each of which would be capable of delivering hundreds or even thousands of unsolicited email.  Additionally, the impact of credential theft, theft of email addresses in an infected computer’s address book and other risks compound the damage this threat is able to do.
As we have reported in our Security Intelligence Reports there has been an increase in botnet disinfections period over period as is illustrated in the chart below.  Botnets vary widely in capability but generally are used by criminals for the distribution of malicious software, sending large volumes of spam, distributed denial of service attacks, theft of passwords and personal information as well as to maintain a foothold on a large number of computers for future use either directly or in a pay-for-service model through the underground economy.

Scott Charney will be discussing these threats, Operation b49 and more in his keynote today at RSA. Additionally, I will be speaking on this in more detail on botnets in general and Waledac specifically in the Microsoft Theater in the Expo hall at noon. I hope to see you there as well as in the panel discussion at 1pm in Orange Room 307 (SIP-106) where Andrew Jaquith of Forrester Research will lead us in a lively discussion of Security Intelligence Reporting. You can also find more information on our efforts towards end to end trust and how we aspire to a safer, more trusted Internet here. As crime on the Internet evolves in complexity and volume, we must fight these threats more creatively and aggressively- both directly and through cross-industry partnerships- to make the Internet safer for all of us.
--Jeff Williams