Cracking Down on Botnets

Botnets - networks of compromised computers controlled by hackers known as “bot-herders” - have become a serious problem in cyberspace.  Their proliferation has led some to worry that the botnet problem is unsolvable.  Under the control of a hacker or group of hackers, botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of new forms of malicious software.

At Microsoft, we don’t accept the idea that botnets are a fact of life.  We are a founding member of the Botnet Task Force,  a public-private partnership to join industry and government in the fight against bots. Given the recent spread of botnets, we are getting even more creative and aggressive in the fight against botnets and all forms of cybercrime. That’s why I’m proud to announce that through legal action and technical cooperation with industry partners, we have executed a major botnet takedown of Waledac, a large and well-known “spambot.”  The Wall Street Journal has a story on the case (WSJ subscription required).

The concept of a botnet can be difficult to grasp. The infographic below explains how these nefarious programs work by hijacking thousands of computers, usually without their owners’ knowledge.

Outlook Social Connector

An overview of how nefarious botnet programs work by hijacking thousands of computers, usually without their owners’ knowledge.
Click for high-res version.

The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy. One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day.  In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

On February 22, in response to a complaint filed by Microsoft  (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

A map of Waledac infections around the world in a recent 18-day period.

A map of Waledac infections around the world in a recent 18-day period.
Click for high-res version.

Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent.  But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused.  Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware. 

To help make sure you are not infected by this or other botnets, our  advice is to follow the “protect your PC” guidance available at https://www.microsoft.com/protect.   

People running Windows machines also should visit the Microsoft Security Web site, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac. We also recommend that Windows users install and maintain up-to-date anti-virus and anti-spyware programs such as Microsoft Security Essentials and turn on auto updates and firewalls.   For our part, we will continue to work with both our industry partners and government leaders to explore possibilities for reaching out to the owners of compromised computers to advise them of the infection and remove malicious code from their machines.

This legal and industry operation against Waledac is the first of its kind, but it won’t be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn and others, we’re building on other important work across the global security community to combat botnets.  Stay tuned.

 

Tim Cranton
Associate General Counsel