Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Secretly Beheads Notorious Waledac Botnet

Posted by CmdrTaco on from the if-you-cut-off-one-head-do-two-grow-back dept.

Barence writes "Microsoft has quietly won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs. The notorious Waledac botnet is being used by Eastern European spammers to send 1.5 billion spam messages every day, and infect hundreds of thousands of machines with malware. In a suit filed in the US District Court of Eastern Virginia, Microsoft accused 27 unnamed defendants of violating federal computer crime laws. It further requested that domain registrar Verisign temporarily deactivate the domains, shutting down the control servers being used to send commands to the machines. The request was secretly approved by District Judge Leonie Brinkema, allowing the action to be taken covertly, preventing Waledac's operators from switching domains."

25 of 381 comments (clear)

  1. One step toward active botnet fighting? by jeffmeden · · Score: 4, Interesting

    This is nice (if reactionary) but how long before we can get a court order to legally fight the botnet by 'infecting' the target computers with a patch, or at least some sort of message that warns the user to seek help?

    Would Microsoft ever go that far? Would that be admitting that the only solution to the holes in Windows is vigilantism?

    1. Re:One step toward active botnet fighting? by Saint+Fnordius · · Score: 4, Informative

      It actually has come to the point where botnets are actively removing other malware from the infected computer, much like a parasite killing off other parasites so that it has sole possession of the host.

    2. Re:One step toward active botnet fighting? by derGoldstein · · Score: 4, Interesting

      I'm waiting for the visualization software that will display the fight. Maybe you could place bets...

      --
      Entomologically speaking, the spider is not a bug, it's a feature.
  2. Contingencies by flink · · Score: 4, Interesting

    Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

    1. Re:Contingencies by Clover_Kicker · · Score: 4, Insightful

      1. If they were smart it's easier to make money legally than illegally.

      Really?

    2. Re:Contingencies by TheLink · · Score: 4, Interesting

      If I wrote malware (I don't), I'd use google, other search engines and maybe even twitter (but that's probably covered by search engines nowadays) to search for new instructions :). So you could post the instructions "anywhere" in the world along with keywords. The search engines would find it. Naturally you'd check the signatures to see if the instructions are valid.

      I'd also write the malware in perl. Pretty easy to do such stuff with perl - can also fork and run the instructions in an eval (if you think people are going to crack your malware). It'll be interesting to see how the AV people cope with TIMTOWTDI. Probably trivial to whip up equivalents in python or similar.

      Such malware could run on windows, Linux, *BSD, OSX :).

      --
    3. Re:Contingencies by Jahava · · Score: 5, Insightful

      Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

      Well, here are a few thoughts:

      • Microsoft probably thoroughly reverse-engineered the botnet client code prior to seeking the court's assistance. Therefore, they have a very good understanding of the botnet's control algorithms. They probably derived those domain names and took those specific measures in response to their understanding of those algorithms.
      • For a botnet, hard-coding IP addresses could be riskier than DNS names. If someone is trying to shut you down, it's easier on their part to pick a specific set of IP addresses and (with cooperation of their respective ISPs) get them shut down or (without said cooperation) firewalled.
      • For a botnet, it's much faster and easier to change your IP address and update a DNS entry, leaving the botnet code alone. If you have to change those hard-coded addresses, you have to not only rebuild and push new code, but update every infected system (and any network admin on a legit controlled network knows that there can be issues with this). With the DNS entry they have a central point to update.
      • I'd not be surprised if Microsoft chose this specific botnet because it had a vulnerability that was within the reach of a court to address

      As others have pointed out, this teaches every other botnet author a lesson on what can be done. The problem ain't solved by a longshot, but maybe the Internet is safe for another night (cue Batman music).

    4. Re:Contingencies by Ifni · · Score: 4, Insightful

      I tend to wonder at the accuracy of that assumption. I think that drug dealing is a lot like acting - people see all the famous actors and say "I can get rich as an actor", but don't notice that it is only the top one percent or so that truly make it - the rest struggle to get by, or make a moderate living at best. Additionally, as a drug dealer, you also have to avoid the law - being wildly successful for 5 years then getting caught and put in jail for ten to twenty makes flipping burgers more profitable an endeavor over the long term. Not to mention the rather short life expectancy of many of the most successful due to "competition".

      So, short term, yeah, dealing (or many types of crime) is easier than making money legally. But long term, you either have to be really good, and thus invest much effort in staying one step ahead of both the law and those looking to "replace" you, or you lose the advantage that crime had, and then some. And if you are investing the required effort successfully, you likely could have done equally well working legitimately. Sure, there are the Dons and Columbian drug lords that are the exception, but again - only the top 1% or less enjoy that privilege.

      --

      Oh, was that my outside voice?

    5. Re:Contingencies by pehrs · · Score: 4, Informative

      Not a new idea. Google is working actively to stop this kind of abuse, which they do by forcing you to go through a captcha if you try to search for terms that are related to malware. I have taken apart a few "evil" programs that did google searches, and each time I found that the search terms had a captcha block.

      State of the art for malware is to use a generator function (typically a hash) to generate random domain names. If it loses contact with the C&C servers it will use this generator to try domain names until it finds a new configuration file (propperly encrypted and signed). For the controller they only need to register one of the domain names generated by the hash and eventually the bots will all reconnect.

    6. Re:Contingencies by 2obvious4u · · Score: 4, Interesting

      That is a bad assumption on his part. Drug dealers have different priorities than most people. I used to know people who would gross 100k a week dealing drugs. The thing is they would have to pay 60k back to the suppliers and then they would split 10k each and would pick up girls and take them on shopping sprees to get laid and would spend the rest on stuff like cloths and drugs for themselves. They really didn't have any money left at the end of the week. Owning houses that you bought with drug money doesn't work out very well when the IRS comes knocking, so they would blow all their funds on consumables during the week.

      Eventually they got caught and spent about 5 years in jail each. But for the 2 or 3 years they were earning that kind of cash and spending it on cloths, cars, women and drugs they lived like rock stars. The problem is that you do get caught and it is a very rough life. You have to have a very low moral standard that most of society can't stomach. But from the pictures it looked like a lot of fun. Even knowing about the 5 years hard time at the end.

      Oh, and women like drug dealers. You get a girl hooked on your supply and you can get laid whenever you like. Not everything can be measured in dollars.

    7. Re:Contingencies by Asic+Eng · · Score: 4, Insightful

      I think you are aiming too low. I'm aware of many factors in which France is better than Germany, others in which the UK is better than France, and yet a different set in which Germany is better than the UK. The US outshines Europe in many areas, but the reverse is also true. Criticism is not hate, and learning from the best will serve you better in the long term than pretending to be the best at everything.

    8. Re:Contingencies by DJoffe · · Score: 4, Informative

      The notion that "anybody can make it in the US if they work hard" is a fairy tale.

      Seriously. Be born rich. That's the way to go.

      The notion that the notion is a fairytale is a fairytale. People love to blindly spread memes like this because they enjoy feeling sorry for themselves, but it simply isn't true:

      Rags To Riches Billionaires: "Almost two-thirds of the world's 946 billionaires made their fortunes from scratch, relying on grit and determination"

      That doesn't mean everyone can end up a billionaire, but it's simply false that this notion that 'anyone can make it' is a fairytale; it's borne out on practically a daily basis. If you open your eyes and look, you'll find true-life rags-to-riches story under every second stone you turn --- especially in the USA, but also these days frequently in places like China. But yeah, not everyone is born hard-working, I guess, so keep sitting and feeling sorry for yourself and you'll definitely ensure that nothing ever changes for you.

      Rags to Riches CEOs

      7 greatest celebrity rags to riches stories

      Rags to Riches

      Entrepreneur takes women from rags to riches

      Rags to Riches billionaires

      Asian American Rags to Riches Sagas

      Case Study: From Rags to Riches (Brenda French)

      Cordia Harrington: From Rags to Riches Success Story

      Local cosmetics magnate reveals rags-to-riches life story

      China: A rags-to-riches story to dream about (Yan Huiyan)

      China’s paper magnate is a rags-to-riches story, literally

      Rags to riches: Bill MacAloney: from orphan to successful business owner to CBA

      From rags to riches: Filipino weavers trade up

      Etc. etc. blah blah ... I could go on pasting these stories in here all day. Nothing worse than listening to whiny losers feeling sorry for themselves that they weren't born rich.

  3. It pains me to say this... by MrNaz · · Score: 5, Funny

    ... but HOORAY FOR MICROSOFT!

    --
    I hate printers.
    1. Re:It pains me to say this... by hairyfeet · · Score: 4, Insightful

      I call bullshit, unless you can back that up with a citation? My 67 year old clueless father didn't want to wait for the weekend so installed Windows 7 HP X64 all by himself. The default install found all the updates and applied them, found and installed all the drivers, and at first login took him to a screen to pick from several free Antivirus apps (He chose Microsoft Security Essentials, which works just fine) and thanks to my GF coming down for the weekend I didn't get to swing by and look at his new machine for nearly 2 weeks. What did I find?

      A perfectly working PC that was free of malware, that's what. It didn't have a single lick of trouble, and the only thing I had to do was show him how to install Firefox with ABP (because he got used to FF thanks to the office box I built him and now hates IE) but even with him running IE for two weeks there was NO infections. Not a single bug, spyware, malware, nothing.

      So how about you back up that statement with a link or two? Sure XP Pre Sp1, when it had no firewall and was just hanging in the breeze was a joke, but ever since Sp2 frankly I haven't been seeing malware from properly updated boxes. I have sold hundreds of SP2 and above boxes, all with a free AV, autoupdates turned ON, and Firefox, and there hasn't been a SINGLE one come back for malware, except for a few PENKACs that purposely ignored the AV trying to get free porn by installing a "codec". So yeah, as someone who actually does this for a living I have to call bullshit without some citations to back it up. Let's see 'em pal.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  4. Re:"East European" by jtdennis · · Score: 4, Informative

    This can also be started manually by running "MRT.exe" from the run prompt. The month of the update is in the title bar, so it's easy to tell if you're current or not.

    --
    -- "Freedom is the right of all sentient beings" -Optimus Prime
  5. Re:"East European" by fuzzix · · Score: 5, Insightful

    Cheap cop-out.

    You're in a mass-market. You can not expect the majority of users to know anything about computers. You can debate that point all you like, but that's how it is. Saying otherwise is like saying only car mechanics should be allowed to drive cars.

    No, it's more like saying "people should know how to drive before taking their car on public roads"

  6. Re:"East European" by nacturation · · Score: 5, Funny

    The Ukranians, Poles, and Chechs called. They're insulted that you're lumping them in with the Rooskies, and they're rooting your box.

    The insulted Czechs are now rooting your box.

    That explains all the spam. The Czechs are in the mail.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  7. Re:"East European" by Bakkster · · Score: 4, Insightful

    You're in a mass-market. You can not expect the majority of users to know anything about computers. You can debate that point all you like, but that's how it is. Saying otherwise is like saying only car mechanics should be allowed to drive cars.

    But you can tell them to perform preventative maintenence like fluid changes, etc. Then it is their fault if they think they know better and ignore the manufacturer's recommendations.

    An example would be brake pads. If you're lazy, you might never replace your brake pads, making you a hazard to everyone else on the road. So, brake pads have metal filings in the last portion of the pad to make an obnoxious grinding noise when it's time to change them. What better way to get people to take care of their car/computer than to annoy them until they fix the issue?

    --
    Write your representatives! Repeal the 2nd Law of Thermodynamics!
  8. I must have missed the memo by OzPeter · · Score: 4, Funny

    Is today the day we like Microsoft?? I just want to make sure I have that right. Its not some trick to cover them acting like vigilantes is it??

    --
    I am Slashdot. Are you Slashdot as well?
  9. Re:Methods - Ends Justify the Means? by OzPeter · · Score: 4, Funny

    It's not "president". You probably meant "precedent".

    No he really does mean "president". You see, now that Bill isn't there, Microsoft has this big tank of goop out in the back, and whenever they need a new VP to make a bold policy change they open a valve and flow the goop into a person shaped mould. Then they have to let it harden or "set". After which time they decant the new president and set him to work

    Thus the OP was expressing his concern for the Zombie like creatures that this policy has brought to (semi) life

    He must be a member of PETZ

    --
    I am Slashdot. Are you Slashdot as well?
  10. Re:Microsoft by WrongSizeGlass · · Score: 4, Insightful

    I am by nature a MS basher ... at times even a rather venomous one .. but let's give MS some credit here. They went to court and obviously provided enough evidence that a judge was convinced (yes, yes, I hear the chorus of 'what qualifications did the judge have?'). They didn't take actions into their own hands and they released the information about it once the court ruling was made.

    The fact remains that MS was actually acting in their own best interest and that of their customers. Those of use who don't use Windows will probably benefit by receiving a little less spam every day, too.

    Hmmm ... I feel a little dirty now ... I better go clean up. I'm pretty sure Steve Jobs will personally come over to repossess my Apple Fan Boy card. Sniff, I'm going to miss it ... a lot. But, I'm rather excited to finally meet Mr Jobs :-)

  11. Re:Secret courts, secret orders, ... by Steve+Hamlin · · Score: 5, Informative
    It called a Temporary Restraining Order (TRO). In civil court cases, the Plaintiff can ask the judge to issue a TRO to prevent ongoing harmful conduct that later monetary damages after trial are insufficient to remedy. In other words: "Your Honor, this can't wait until the trial is over." The standards are high, and courts do not do this this without a very compelling set of alleged facts. Requesting Plaintiffs are often required to post a significant cash bond to cover damage to the enjoined party in case the TRO is not, in hindsight, the proper pre-trial remedy.

    In most cases, a court won't issue a TRO without notice to the defendants and a hearing to allow the sought-to-be-enjoined party to response to the Motion for TRO. In some situations, like this, where mere notice might allow the Defendants to further the harm, the court orders the TRO without notice to the enjoined party. The Order allows the Plaintiffs to demand third parties to do or stop doing something for the enjoined party - the first notice to them is when they can't access bank accounts, or their vendor refuses to cooperate, etc.

    The safeguards built into the system are (1) the cash bond, (2) a neutral judge that weighs the likelihood of irreversible damage and proof of the initial allegations against the harm from enjoining a party before a verdict, and most importantly, (3) that these are TEMPORARY. The judge will order a hearing with BOTH parties within (usually) 10 days of the TRO issuance, at which time the Defendants can object, rebut the Plaintiff's allegations, and ask the court to lift the injunction. At that point, it is a dispute between two noticed parties before a neutral court.

  12. not atypical by ericbg05 · · Score: 5, Insightful

    So Microsoft secretly filed a suit against 27 unnamed individuals, and got a secret order taking 277 domain names away from them, all based on a mere accusation.

    Oh, but since we're fighting spam, I guess that's okay.

    Wait until Microsoft starts doing this to go after copyright violations. Will y'all be cheering then?

    My fiancée IAL working in a federal district court. I have mod points, but I guess it's more illuminating to reply than mod down this ridiculous comment.

    Stuff is filed under seal in court all the time. The idea is that you don't want the defendant you're pursuing to know you're pursuing them if there's a high chance they can cover their tracks. You can't just make a "mere accusation" and get a court to do whatever you want. That, of course, would be silly.

    Most judges are really quite reasonable about the decision to keep things sealed. In any event, all the docs will become unsealed relatively quickly -- and if you think the court was *unreasonable*, that they abused their discretion somehow, you can take your complaint to the appellate court.

    Court proceedings are slow, but some crooks (especially intelligent, well-funded crooks) can move fast. This is the balance we've found between thinking things through carefully, and satisfying the public's right to this information, while still prosecuting agile crooks.

    In copyright infringement cases, the plaintiff would probably have a hard time convincing the judge that docs need to stay sealed.

    Believe it or not, the system actually works pretty well sometimes.

    Look, I'm all for an intelligent discussion of the shortcomings of the legal system, of which there are plenty. But you should really try to learn something about it before criticizing it. Otherwise you're just wasting everyone's time.

  13. NO SUCH THING AS IDIOT-PROOF! by Chas · · Score: 4, Funny

    Because idiots are amazingly inventive, persistent, and breed at a rate so ferocious that rabbits are envious.

    Come up with a "foolproof" way for securing a system and some imbecile will find a way around it.

    Not to mention all the inconveniences such a lockdown method would inevitably entail.

    --


    Chas - The one, the only.
    THANK GOD!!!
  14. NOT a DNS issue you boob! by Chas · · Score: 4, Informative

    This has nothing to do with US control of DNS.

    They went to the domains' REGISTRAR (GoDaddy) and got THEM to disable the domains.

    Control of DNS could be in the hands of Bumblefuckistan and they still could have done this.

    --


    Chas - The one, the only.
    THANK GOD!!!