Microsoft Secretly Beheads Notorious Waledac Botnet

Barence writes "Microsoft has quietly won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs. The notorious Waledac botnet is being used by Eastern European spammers to send 1.5 billion spam messages every day, and infect hundreds of thousands of machines with malware. In a suit filed in the US District Court of Eastern Virginia, Microsoft accused 27 unnamed defendants of violating federal computer crime laws. It further requested that domain registrar Verisign temporarily deactivate the domains, shutting down the control servers being used to send commands to the machines. The request was secretly approved by District Judge Leonie Brinkema, allowing the action to be taken covertly, preventing Waledac's operators from switching domains."

Re:Contingencies

[Clover_Kicker]

1. If they were smart it's easier to make money legally than illegally.

Really?

Re:Contingencies

[Jahava]

Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

Well, here are a few thoughts:

• Microsoft probably thoroughly reverse-engineered the botnet client code prior to seeking the court's assistance. Therefore, they have a very good understanding of the botnet's control algorithms. They probably derived those domain names and took those specific measures in response to their understanding of those algorithms.
• For a botnet, hard-coding IP addresses could be riskier than DNS names. If someone is trying to shut you down, it's easier on their part to pick a specific set of IP addresses and (with cooperation of their respective ISPs) get them shut down or (without said cooperation) firewalled.
• For a botnet, it's much faster and easier to change your IP address and update a DNS entry, leaving the botnet code alone. If you have to change those hard-coded addresses, you have to not only rebuild and push new code, but update every infected system (and any network admin on a legit controlled network knows that there can be issues with this). With the DNS entry they have a central point to update.
• I'd not be surprised if Microsoft chose this specific botnet because it had a vulnerability that was within the reach of a court to address

As others have pointed out, this teaches every other botnet author a lesson on what can be done. The problem ain't solved by a longshot, but maybe the Internet is safe for another night (cue Batman music).

Re:Contingencies

[Ifni]

I tend to wonder at the accuracy of that assumption. I think that drug dealing is a lot like acting - people see all the famous actors and say "I can get rich as an actor", but don't notice that it is only the top one percent or so that truly make it - the rest struggle to get by, or make a moderate living at best. Additionally, as a drug dealer, you also have to avoid the law - being wildly successful for 5 years then getting caught and put in jail for ten to twenty makes flipping burgers more profitable an endeavor over the long term. Not to mention the rather short life expectancy of many of the most successful due to "competition".

So, short term, yeah, dealing (or many types of crime) is easier than making money legally. But long term, you either have to be really good, and thus invest much effort in staying one step ahead of both the law and those looking to "replace" you, or you lose the advantage that crime had, and then some. And if you are investing the required effort successfully, you likely could have done equally well working legitimately. Sure, there are the Dons and Columbian drug lords that are the exception, but again - only the top 1% or less enjoy that privilege.

Re:"East European"

[fuzzix]

Cheap cop-out.

You're in a mass-market. You can not expect the majority of users to know anything about computers. You can debate that point all you like, but that's how it is. Saying otherwise is like saying only car mechanics should be allowed to drive cars.

No, it's more like saying "people should know how to drive before taking their car on public roads"

Re:"East European"

[Bakkster]

You're in a mass-market. You can not expect the majority of users to know anything about computers. You can debate that point all you like, but that's how it is. Saying otherwise is like saying only car mechanics should be allowed to drive cars.

But you can tell them to perform preventative maintenence like fluid changes, etc. Then it is their fault if they think they know better and ignore the manufacturer's recommendations.

An example would be brake pads. If you're lazy, you might never replace your brake pads, making you a hazard to everyone else on the road. So, brake pads have metal filings in the last portion of the pad to make an obnoxious grinding noise when it's time to change them. What better way to get people to take care of their car/computer than to annoy them until they fix the issue?

Re:Microsoft

[WrongSizeGlass]

I am by nature a MS basher ... at times even a rather venomous one .. but let's give MS some credit here. They went to court and obviously provided enough evidence that a judge was convinced (yes, yes, I hear the chorus of 'what qualifications did the judge have?'). They didn't take actions into their own hands and they released the information about it once the court ruling was made.

The fact remains that MS was actually acting in their own best interest and that of their customers. Those of use who don't use Windows will probably benefit by receiving a little less spam every day, too.

Hmmm ... I feel a little dirty now ... I better go clean up. I'm pretty sure Steve Jobs will personally come over to repossess my Apple Fan Boy card. Sniff, I'm going to miss it ... a lot. But, I'm rather excited to finally meet Mr Jobs :-)

not atypical

[ericbg05]

So Microsoft secretly filed a suit against 27 unnamed individuals, and got a secret order taking 277 domain names away from them, all based on a mere accusation.

Oh, but since we're fighting spam, I guess that's okay.

Wait until Microsoft starts doing this to go after copyright violations. Will y'all be cheering then?

My fiancée IAL working in a federal district court. I have mod points, but I guess it's more illuminating to reply than mod down this ridiculous comment.

Stuff is filed under seal in court all the time. The idea is that you don't want the defendant you're pursuing to know you're pursuing them if there's a high chance they can cover their tracks. You can't just make a "mere accusation" and get a court to do whatever you want. That, of course, would be silly.

Most judges are really quite reasonable about the decision to keep things sealed. In any event, all the docs will become unsealed relatively quickly -- and if you think the court was *unreasonable*, that they abused their discretion somehow, you can take your complaint to the appellate court.

Court proceedings are slow, but some crooks (especially intelligent, well-funded crooks) can move fast. This is the balance we've found between thinking things through carefully, and satisfying the public's right to this information, while still prosecuting agile crooks.

In copyright infringement cases, the plaintiff would probably have a hard time convincing the judge that docs need to stay sealed.

Believe it or not, the system actually works pretty well sometimes.

Look, I'm all for an intelligent discussion of the shortcomings of the legal system, of which there are plenty. But you should really try to learn something about it before criticizing it. Otherwise you're just wasting everyone's time.

Re:Contingencies

[Asic+Eng]

I think you are aiming too low. I'm aware of many factors in which France is better than Germany, others in which the UK is better than France, and yet a different set in which Germany is better than the UK. The US outshines Europe in many areas, but the reverse is also true. Criticism is not hate, and learning from the best will serve you better in the long term than pretending to be the best at everything.

Re:It pains me to say this...

[hairyfeet]

I call bullshit, unless you can back that up with a citation? My 67 year old clueless father didn't want to wait for the weekend so installed Windows 7 HP X64 all by himself. The default install found all the updates and applied them, found and installed all the drivers, and at first login took him to a screen to pick from several free Antivirus apps (He chose Microsoft Security Essentials, which works just fine) and thanks to my GF coming down for the weekend I didn't get to swing by and look at his new machine for nearly 2 weeks. What did I find?

A perfectly working PC that was free of malware, that's what. It didn't have a single lick of trouble, and the only thing I had to do was show him how to install Firefox with ABP (because he got used to FF thanks to the office box I built him and now hates IE) but even with him running IE for two weeks there was NO infections. Not a single bug, spyware, malware, nothing.

So how about you back up that statement with a link or two? Sure XP Pre Sp1, when it had no firewall and was just hanging in the breeze was a joke, but ever since Sp2 frankly I haven't been seeing malware from properly updated boxes. I have sold hundreds of SP2 and above boxes, all with a free AV, autoupdates turned ON, and Firefox, and there hasn't been a SINGLE one come back for malware, except for a few PENKACs that purposely ignored the AV trying to get free porn by installing a "codec". So yeah, as someone who actually does this for a living I have to call bullshit without some citations to back it up. Let's see 'em pal.