Cracking Down on Botnets


Posted by Tim Cranton

Associate General Counsel

Botnets – networks of compromised computers controlled by hackers known as “bot-herders” – have become a serious problem in cyberspace.  Their proliferation has led some to worry that the botnet problem is unsolvable.  Under the control of a hacker or group of hackers, botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of new forms of malicious software.

At Microsoft, we don’t accept the idea that botnets are a fact of life.  We are a founding member of the Botnet Task Force,  a public-private partnership to join industry and government in the fight against bots. Given the recent spread of botnets, we are getting even more creative and aggressive in the fight against botnets and all forms of cybercrime. That’s why I’m proud to announce that through legal action and technical cooperation with industry partners, we have executed a major botnet takedown of Waledac, a large and well-known “spambot.” The Wall Street Journal has a story on the case today (subscription required).   

The concept of a botnet can be difficult to grasp. The infographic below explains how these nefarious programs work by hijacking thousands of computers, usually without their owners’ knowledge.

The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy. One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million attempted spam email connections attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.

On February 22, in response to a complaint filed by Microsoft  (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

Waledac Map

A map of Waledac infections around the world in a recent 18 day period

Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent.  But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused.  Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware. 

To help make sure you are not infected by this or other botnets, our  advice is to follow the “protect your PC” guidance available athttp://www.microsoft.com/protect.   

People running Windows machines also should visithttp://www.microsoft.com/security/malwareremove/default.aspx, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac. We also recommend that Windows users install and maintain up-to-date anti-virus and anti-spyware programs such as Microsoft Security Essentials and turn on auto updates and firewalls.   For our part, we will continue to work with both our industry partners and government leaders to explore possibilities for reaching out to the owners of compromised computers to advise them of the infection and remove malicious code from their machines.

This legal and industry operation against Waledac is the first of its kind, but it won’t be the last. With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn and others, we’re building on other important work across the global security community to combat botnets.  Stay tuned.

 

Comments (24)

  1. Anonymous says:

    Sorry, taking down other people's domain names because your software is easily corrupted isn't "great job guys" nor "operation b49."  It's "operation Microsoft has awful software and the bad guys exploit it."    The Courts shouldn't allow Microsoft to remove domain names.  (Sorry Windows sucks… really).    The Courts should hold Microsoft accountable for all that great IP. (Wait, is that Patents, Copyrights, or Trademarks?)  Either way Microsoft is responsible for millions of machines worldwide belonging to normal owners happily accepting commands from strangers to send spam, harvest credit card numbers, spy on their owners, etc.    Microsoft.  Your chickens have come home to roost. If you want to know whom to blame the mirror is in the bathroom on the wall.    E

  2. Anonymous says:

    Instant cure to botnets, wipe your hard drive and install a GNU/Linux distro until M$ fix the inherent insecurity of Windows

  3. Anonymous says:

    Close the barn door after the horse has bolted??

  4. Anonymous says:

    this is a windows problem lets be clear about this not a cyberspace problem.      windows is junk and if you want to get rid of the problem once and for all do what John says.     then the problem will be solved    been using GNU/Linux since the mid 90's and have never had root kits, botnets, or any other spyware/virus problem.  all at the cost of 0 dollars.

  5. Anonymous says:

    I have a question.    I am very glad that action is being taken against botnets, and welcome it.    But on what basis is Microsoft suing the botnet operators? Do they have standing?     I was under the impression the victims of the botnets are the people whose computers are hacked, and therefore it should be these people or the government going after the botnet operators, rather than MS?

  6. Anonymous says:

    BRAVO!  You deserve tons of admiration for stopping at least one spammer and cracker!  Well done, keep up the good fight!

  7. Anonymous says:

    suezz: Worked at Sun Micro for ten years.  If you think Unix and it's derivatives don't have viruses, bots, root kits, and other problems you are both very fortunate and not looking very hard.  Check Cert anytime for Unix failings.

  8. Anonymous says:

    Frank, read the complaint.  They, good lawyers that they are, plainly lay out the justification for their claim of sufficient standing in that document.  Also included, among other documentation, is a map of affected hosts specificially located within the Eastern District of Virginia in order to bolster filing their claim in that jurisdiction.  And MS certainly does business in that district.  You'd think the judge is experienced enough in such matters to be able to discern whether their claims are suffiently weighty to accept, so they're likely valid.  Claims that they don't have standing or that this court does not have jurisdiction are things that could be appealed, I suppose, but  I'd sure be surprised if these John Does came out of the woodwork to file such appeals.

  9. Anonymous says:

    tc taylor:  I never said unix didn't have those items.  Linux and Unix is structured in a way where if you did happen to get one the damage is limited.  It also a lot harder to write spyware, viruses etc for Unix.   It also comes with tools to combat those problems free of charge and thus would make fighting them easier and one of the reasons why it would not be an issue when you dump windows.     Installing GNU/Linux would get rid of this problem.  I check out Cert all the time and I see most of the problems are Windows or proprietary software like sunos or hpux.   Although windows is the worse about fixing problems but that is another discussion.    This is a windows problems period end of story.    Again installing GNU/Linux would get rid of the problem.

  10. Anonymous says:

    I completely agree with John and suezz. Windows is junk. Get rid of Windows and your problems are gone. I only use Linux and Mac OS X and everything runs fast and stable and it's very secure out of the box. No need to buy expensive anti-malware, anti-spyware and anti-adware software (which don't give complete protection, so sooner or later you'll end up with an infection). Just get rid of Windows. Use Linux (which is even completely free and can be installed on a regular PC or notebook) or buy a Mac.

  11. Anonymous says:

    tc taylor as suezz says its not that there isn't any malware for the *nixes just that windows is inherently and by design less secure. And the old secure because its obsure doesn't wash because more than half all webservers run on lamp

  12. Anonymous says:

    But the way that Microsoft went after them, it only effects domains in the US.  Looking at my Barracuda, I have seen no difference in spam volumes over the last month so this really doesn't effect anything.  It is more of a nuisance to the bot operators than anything else.  The best thing for Microsoft would be to stop all the new eye candy and other useless folderol and go back to the drawing board and re-write windows to make it more secure.  With all of their billions of dollars that they have made selling products, you would think they could actually make something that would be secure by now.  

  13. Anonymous says:

    Awesome work guys, good to see that you are taking actions against botnets!

  14. Anonymous says:

    if msft didn't have such a hole ridden insecure operating system maybe there wouldn't be so many botnets

  15. Anonymous says:

    Guys, you miss the point when you just rant about Windows flaws, how can these absolve spammers and DOS attackers from their wrong doings?    I'm not a big fan of MS/Windows myself, but give the devil his due!

  16. Anonymous says:

    It is not aways an easy thing to keep your anti-virus any Windows update running. Some of the malware stops the updating, and one must be really knowlegeable to make the updating work again. This should be addressed be software writers. It is really nice that Microsoft is doing somethig about botnets. Thanks a million!!

  17. Anonymous says:

    Fast and effective actions. Good work, do keep it up. Botnets and cybercrime are on the rise.

  18. Anonymous says:

    HiHello, I am new here. So if I mistake your meaning, please tell me.

  19. Anonymous says:

    Simply avoid the offered downloads if the planed use of the installed  needs are working for the purpouse or duty. Well I will click "Remember me?", you are than taking controll of somthing, but who else…Automaticly clean up any traces of the work, after cloasin..What than with type and read… etc etc…To build cloased chains, easier and faster controlled and cleaned?

  20. Anonymous says:

    My cousin recommended this blog and she was totally right keep up the fantastic work!

  21. Anonymous says:

    I have had four different Microsoft technicians trying to no avail, and I am at my wit's end.

  22. Anonymous says:

    Drew, As usual, your post sets me to thinking… I really think the senior concierge industry, if that's even a correct descriptor, could be huge.

  23. Concerned Citizen says:

    Microsoft Needs to go after these guys…

    From:

    http://www.scribd.com/…/97504724-Kelly

    http://pastebay.net/1062756

  24. Jason Michael Barry(Legal) Will-son I took. says:

    Botnets were on T.V. not that long ago sugisting "tell leep a thee" might be a fact, it is not a fact or a matter, Truth should not have to be, why do all ahve to be put on front street by the tag teammof Bill Clinton And Hill ore Re: do it get more money Billy come on du.