Dismantling Waledac

Today, you may have read in the Wall Street Journal about an operation Microsoft has been conducting against the Win32/Waledac botnet.  If you haven’t already seen the article, you can find additional information in the Microsoft on the Issues blog.   In summary, the Microsoft Digital Crimes Unit with support from the Microsoft Malware Protection Center has taken legal and technical steps in an attempt to disable the command and control infrastructure of Waledac in order to prevent the criminals responsible from issuing new instructions.  Win32/Waledac  is used, primarily, to send spam. It also has the ability to download and execute arbitrary files, harvest email addresses from the local machine, perform denial of service attacks, proxy network traffic and steal passwords.  The impact posed by such an infection is, as a result, quite broad.
The method used for this takedown activity is rather novel and involves both legal and technical aspects.  On Monday, Microsoft filed a complaint in the U.S. Eastern Court of Virginia and the court granted a temporary restraining order against 277 domains believed to be associated with Waledac and under the control of the criminals responsible.  With this TRO we have been able to suspend these domains from the Internet and, as a byproduct of this suspension, impact the ability for the criminal operators of the botnet to issue new commands or updates.  Additional technical measures are being employed to further reduce peer to peer communications and we are working with the security community to mitigate and respond to this botnet.
While the disruption of the command and control of Waledac is a positive thing, this does not- by itself- address the tens of thousands of computers which are still infected with the threat which are estimated to have been responsible for as many as 1.5 billion spam messages per day.  As we have previously reported in our most recent Security Intelligence Report covering the second half of 2009, Microsoft technologies such as the Malicious Software Removal Tool and Microsoft Security Essentials were used to remove more than 96,000 instances of this threat- making it the 11th most prevalent during that period.  As we have in the past we encourage our customers to run an up to date anti-virus program from a trusted source and to stay up to date with security updates from Microsoft using Automatic Update as well as staying up to date on third party software.   If you are not already running up to date anti-virus, we would ask that you do this now to assist in containing this- and other- threats.
We’re not done.  Stay tuned.
-- Jeff Williams

Comments (0)

Skip to main content