Microsoft to target other botnets with legal weapon

Acknowledges it's too soon to judge its fight against Waledac bots

Microsoft has several other botnets in its crosshairs, and believes it can use the same legal tactic against them that it deployed last week to strike at the Waledac botnet's command-and-control centers.

But the company also admitted that it had not yet severed all communications between the controllers of Waledac and the thousands of compromised Windows computers used by hackers to pitch bogus security software and send a small amount of spam.

"This shows it can be done," said Richard Boscovich, senior attorney with Microsoft's Digital Crimes Unit. "Each botnet is different, of course, but this is another arrow in the quiver. This is not the last [effort].... We have other operations on the drawing board."

Last Wednesday, Microsoft announced that it had been granted a court order that yanked nearly 300 sites from the Internet. Those sites, Microsoft said, were a key link between hackers and the PCs that make up the Waledac botnet. The legal tactic, which garnered accolades from many security professionals as a precedent-setting move, resulted in what Microsoft called "a major botnet takedown" of Waledac, a fact that some researchers disputed.

The same method can and will be applied to other botnets, Boscovich said. He declined to say which zombie PC army is next on Microsoft's hit list. "Of course this is scalable," he said when asked whether the legal action against Waledac would work against other botnets, or was a one-off. "This is another tool we can now use, another mechanism that is available."

In fact, when Microsoft officials sat down in early January to decide which botnet to target, they started with a list of six, then narrowed it to three, from which they selected Waledac. The remaining five unnamed botnets remain on Microsoft's list.

"We wanted to challenge ourselves technically," said Boscovich when asked why Waledac was chosen. "From the technical standpoint, it had a certain reputation."

Waledac does have a reputation. The malware that infects victimized PCs was created by, and the botnet is maintained by, hackers who previously flooded the Internet with the Storm bot from early 2007 through mid-2008. Waledac's makers "definitely know the ins and outs," Joe Stewart, director of malware analysis at SecureWorks and a noted botnet researcher, said last Thursday.

Boscovich admitted that Waledac wasn't the world's biggest botnet, but said several things recommended it for the debut of Microsoft's legal approach to bot smashing. Among them: The identified command-and-control domains were all registered with one domain registrar, VeriSign, which made it easier to coordinate the site shutdowns; and Microsoft had been in contact with several independent researchers who had dug deep into the malware's code and the botnet's behavior.

Even as Microsoft said it would again swing the legal sword, it also admitted it had not completely cut ties between the infected PCs and the hackers who control them.

"They were severely impacted [by the legal action], and we expect the severity of the impact to increase over the next several days," said T.J. Campana, a senior program manager who works for Boscovich in the company's Digital Crimes Unit. When asked whether communications between the Waledac hackers and the botnet's PCs had been comprehensively severed, Campana answered, "By and large, the answer is no."

Last week, Microsoft claimed it had grabbed control of more than 60,000 bots in the Waledac collection after the court order shuttered the 277 targeted domains. Several security researchers, however, questioned whether the tactic would cripple Waledac , or even disrupt its activities, since hackers have multiple mechanisms for passing commands to machines infected with Waledac.

As a fall-back, Waledac bots can communicate to their controllers "indefinitely" using IP (Internet Protocol) addresses that are hard-coded into the bot Trojan, SecureWorks' Stewart said last week.

Campana acknowledged those alternate command-and-control links within Waledac, and said Microsoft is attacking those as well. He declined to provide details of what Microsoft was doing, or when -- or even if -- the Waledac bots would be unreachable by their makers. "In addition to the legal action against the domains, we have taken other technical measures," said Campana. "At this point, we're still working that angle and actively adapting our measures."

Several message security and spam filtering companies and organizations, including Google 's Postini and the U.K.-based SpamHaus, also disputed Microsoft's claim last week that Waledac was a "major distributor of spam" and that crippling it would reduce spam.

Symantec's MessageLabs also weighed in on the impact issue, and like other vendors, downplayed Waledac's significance. "There's been no real noticeable effect of the takedown," Matt Sergeant, a senior anti-spam technologist with MessageLabs, said in an e-mail. "It's one of the smallest botnets out there, and the court order appears to have had very little effect on its output."

Microsoft countered, saying it's too early to gauge its anti-Waledac moves. "We're still looking at the impact this has had," said Campana, referring specifically to the monitoring Microsoft's doing of the volume of spam addressed to Windows Live Hotmail accounts. "It's somewhat premature to say 'yay or nay' yet." The next one or two weeks will tell the tale, Campana agreed.

But Boscovich would not promise that Microsoft would make Hotmail spam data public. "We'll look at that [decision] fairly soon," he said.

It isn't the first time that Microsoft has said it has crippled a botnet built by this group of hackers. In April 2008, the company took credit for crushing the Storm botnet -- Waledac's predecessor -- saying that the malware search-and-destroy tool it distributes to Windows users every month disinfected so many bots that the hackers threw in the towel .

As with the Waledac take-down, researchers at the time disputed Microsoft's claim that it had beaten Storm into submission.

Campana urged Windows users to run the Microsoft-made Malicious Software Removal Tool (MSRT) to scrub Waledac from infected systems, and up-to-date anti-virus software to keep it off still-clean machines. "This is definitely a preventable issue," he said.

------

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags botnetsMicrosoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?