Threat Research & Response Blog
Recently, following an investigation to which various members of the MMPC contributed, Microsoft’s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49, an ongoing operation to disrupt the botnet for the long term. The takedown also marked a new phase of exploration in combating botnets, which we call Project MARS (short for Microsoft Active Response for Security). While it is still too early to know the entire scope of this particular takedown's impact, early returns show that Operation b49 has been delivering on the disruption of Waledac and helping to map new territory in the fight against botnets. I wanted to update you on what we know and what we are still learning regarding the impact of that fight.
To effectively counter a botnet like Waledac, we knew a multi-layered approach was needed – one that included peer-to-peer communication disruption through technical countermeasures, domain-level takedowns to disrupt the ‘phone home’ communications between zombie PCs and the command and control servers for Waledac, and traditional server takedowns to sever the back-end command and control mechanisms most directly under the control of the bot master(s).
With the caveats that there are rarely, if ever, any absolutes regarding botnets and that we are still analyzing and investigating the impact of this action, early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network. For example, researchers from the Shadowserver Foundation, the Technical University in Vienna, University of Mannheim, University of Bonn and University of Washington have analyzed honeypot data on Waledac and have observed an effective cessation of commands to Waledac 'zombies.' That’s good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection.
We’ve also been tracking Operation b49’s impact on the symptoms of Waledac infection – symptoms that include malware downloads, identity theft and spam attacks from infected computers to other victims. Researchers at Sudosecure who track new Waledac infections have data showing a dramatic decline in new IP addresses appearing within the Waledac network, meaning that Waledac is no longer spreading its infection to other computers. While there will likely always be some fluctuations as long as the underlying malware exists and we must and will continue to work with the security community to stay on top of Waledac over time, the 'zero new infections' number reported by Sudosecure as of February 27 is a great indicator of the success of these efforts so far.
As for spam, the trends we’ve been seeing since the takedown provide valuable insight into the nature of infections on zombie computers. Waledac itself is just one of many sources of spam on the Internet and we never intended Operation b49 to appreciably shrink worldwide spam volumes. The goal, rather, was to disrupt the bot and to learn from that disruption for future actions.
As we knew going in, the computers within the Waledac botnet are still infected with the original malware that gave herders control of them in the first place. What we’ve learned since the takedown from our initial data is that many of them are likely infected by other malware that may still be directing them to conduct attacks outside of Waledac’s control structure. We base this hypothesis on the evidence that honeypot computers infected only with Waledac are not sending spam nor getting commands to execute any other attacks. However, Hotmail data and our examination of the behavior of all the known IP addresses for the previously infected Waledac computers show that about half of the computers once under the control of Waledac are still trying to send spam – and are in fact doing so at higher levels today than they were in our December analysis. Since spam campaigns have spikes and lulls, it’s difficult to make direct comparisons of spamming behavior over time, but this data also seems to align with what we’re hearing from others in the industry.
We’ve also learned from this experience that our legal action has been successful in helping to sever to the command and control communications for Waledac at the domain level thus far. In fact, since the original takedown occurred, we have worked with two affected domain owners (Stephen Paluck and eNom) to successfully address the problems with their respective domains and we have amended our legal filings to reflect that we are pursuing no further injunctive relief from the court on those domains. (See www.noticeofpleadings.com for all legal documentation and presented evidence in this case as it proceeds.) Other registered domain owners named in the legal filings have not yet exercised their due process rights by responding to the court, but the case is still ongoing. Our goal with this lawsuit is to help promote a safer, more secure Internet, and we will continue to work toward that aim as we move forward in the case.
These and other findings demonstrate what, for us, is perhaps the most critical outcome of this case: proof of concept. As we forge ahead with Project MARS, we’ll be looking to the lessons of Operation b49 as successful signposts along the road in this uncharted territory. While no one action will wipe out every threat, any strong action to disable a botnet is significant progress and each action will inform the next. For example, we’ve also recently seen Spanish authorities take down another notorious botnet – Mariposa – with great success and we commend them for their valuable work. These actions demonstrate how critical the incredible cooperation of stakeholders and experts all around the world is to success. Look for more efforts like these as we work together to take a stand against botnets and make the internet safer and more secure for everyone.
Anyone concerned that their computer may be infected by malware should follow the "protect your PC" guidance available at http://www.microsoft.com/protect. Windows customers can also visit http://www.microsoft.com/security/malwareremove/default.aspx to find Microsoft's Malicious Software Removal Tool, which removes Waledac and other malware.
So, stay tuned. The fight goes on.