Microsoft, Researchers Team Up And Tear Down Major Spamming Botnet
Unprecedented court order helped dismantle Waledac, the second-gen iteration of the Storm botnet; here's how the undercover operation went down
February 25, 2010
Waledac -- the spamming botnet formerly known as Storm -- was downed yesterday in a sneak attack by a team from Microsoft, Shadowserver, the University of Washington, Symantec, and a group of researchers from Germany and Austria who had first infiltrated the botnet last year.
In an unprecedented move, Microsoft secured a federal court order that, in effect, required VeriSign to cut off 277 Internet .com domains that were serving as the connections between Waledac's command and control (C&C) servers and around 60,000 to 80,000 bots or infected machines it had recruited to spew its spam. Waledac is best-known for its online pharmacy, phony products, jobs, and penny stock spam scams, and has the capacity to send more than 1.5 billion spam email messages per day.
The so-called "Operation b49" effort basically turned the tables on the Waledac botnet operators by systematically hijacking the communications between the botnet and its infected bots. Once Microsoft had the court order in hand from the U.S. District Court of Eastern Virginia in response to its legal complaint, researchers from the University of Mannheim in Germany and the Technical University of Vienna launched a massive attack on the botnet's hybrid peer-to-peer/HTTP communications infrastructure, according to one of the researchers who handled that part of the operation, but declined to be named publicly.
"We were told to push the red button, so to speak, and we started an attack on the P2P network as VeriSign was removing the domains," the researcher said in an interview. The operation was facilitated by the German and Austrian team's existing foothold in Waledac -- last year, the group successfully infiltrated Waledac and was able to leverage their continued undercover presence in the botnet.
They placed fake nodes into the botnet that posed as Waledac "repeaters" -- the second-tier servers that communicate directly with the bots and site between the infected bots and the back-end C&C servers, and redirected the infected machines to safe IP addresses or sinkholes. Within six hours, 90 percent of the botnet had been shut down. Now it's a matter of catching those bots that hadn't phoned home during the initial wave of the attack and alerting ISPs of infected IP addresses in their domains so they, in turn, can alert customers whose machines were part of Waledac.
"Once the bots have connected to our infrastructure, they can't connect [back to Waledac again]," the researcher says. "We have 90 percent of the botnet taken down."
The takedown operation's success actually surprised the researchers. "We didn't expect it would work so well and we would be able to take over so many of the bots," says a researcher with the Technical University of Vienna, who worked on the takedown and also asked not to be named. "But this had worked in similar attacks ... and we had experience with P2P."
The method was similar to what researchers did last year when they infiltrated Waledac. "If I make a bot believe I am a valid repeater, and I answer it the way it expects, [it works]," the Mannheim researcher says.
They found 25 different IP addresses for the C&C servers, and estimated six or seven of them were running at one time, most of them hosted in Russia and Germany, with a few in other parts of Europe, as well. Half of the infected machines are in North America, from the U.S., Canada, and Mexico, while others are in Central Europe and other parts of the globe, according to the researchers.
The researchers also believe there is a "mothership" at the highest level of the botnet, which could potentially lead to the actual criminal gang behind Waledac.
Botnet takedowns, to date, have been rare and tricky, often performed by one group who was able to convince a domain operator to cut its ties with the offending botnet operators. Most ISPs and domain registrars are hesitant for legal reasons to cut off service to any customer. What makes the Waledac dismantling so significant is its successful use of a legal weapon -- now setting a precedent for future such botnet takedowns.
In a blog post announcing the Waledac takedown today, Microsoft associate general counsel Tim Cranton says Operation b49 was the culmination of months of investigation; the legal action was granted on Monday, Feb. 22. "Our goal is to make that disruption permanent," he blogged. "This legal and industry operation against Waledac is the first of its kind, but it won't be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec and others, we're building on other important work across the global security community to combat botnets. Stay tuned."
VeriSign had no comment on the Waledac operation. Andre DiMino, director of Shadowserver, says the legal action helped ensure VeriSign was legally covered in the takedown. "VeriSign wants to be sure they are covering all of their bases," DiMino says. "This is pretty groundbreaking ... To take down a botnet at the domain level is really providing a precedent that allows the security industry to disable or disrupt a more significant botnet. This puts the bad, the registries, ICANN, the security community, and all the good guys on notice that this is not a losing battle and something can be done to effect change."
It's unclear whether the takedown got investigators any closer to the criminal gang behind Waledac. Researchers are studying the botnet's internals closely for any clues and paths to the people behind the botnet. "Sometimes when dealing with organized cybercriminal entities or nation-states, the hardest thing is identifying the source," says Rich Baich, leader of the Cyber Threat Intelligence Group at Deloitte. "It takes a significant amount of time" he says, to break through all of the layers cybercriminals place between themselves and the victims.
Meanwhile, there's still some cleanup to do: Remnants of Waledac are still being wiped out, and the former Waledac bots are still infected with the bot's malware. Microsoft recommends customers check out its Protect Your PC guidelines and run its Malicious Software Removal Tool to scan for and clean up any Waledac infections.
Shadowserver is beginning to notify network owners about the bot-infected machines on their networks, DiMino says.
The team who took down Waledac expects the gang will try to reinvent itself yet again, as it did from Storm to Waledac. "This botnet is pretty much done," says the researcher at University of Mannheim. "In my opinion, they are now back to coding and developing a new form of the botnet."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like