Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Secretly Beheads Notorious Waledac Botnet

Posted by CmdrTaco on from the if-you-cut-off-one-head-do-two-grow-back dept.

Barence writes "Microsoft has quietly won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs. The notorious Waledac botnet is being used by Eastern European spammers to send 1.5 billion spam messages every day, and infect hundreds of thousands of machines with malware. In a suit filed in the US District Court of Eastern Virginia, Microsoft accused 27 unnamed defendants of violating federal computer crime laws. It further requested that domain registrar Verisign temporarily deactivate the domains, shutting down the control servers being used to send commands to the machines. The request was secretly approved by District Judge Leonie Brinkema, allowing the action to be taken covertly, preventing Waledac's operators from switching domains."

6 of 381 comments (clear)

  1. It pains me to say this... by MrNaz · · Score: 5, Funny

    ... but HOORAY FOR MICROSOFT!

    --
    I hate printers.
  2. Re:Contingencies by Jahava · · Score: 5, Insightful

    Even if the control machines loose DNS resolution, might not the botnet be configured to fall back to connecting to well known IP addresses to accept commands? Seems like the logical thing to do if you are creating an illegal network...

    Well, here are a few thoughts:

    • Microsoft probably thoroughly reverse-engineered the botnet client code prior to seeking the court's assistance. Therefore, they have a very good understanding of the botnet's control algorithms. They probably derived those domain names and took those specific measures in response to their understanding of those algorithms.
    • For a botnet, hard-coding IP addresses could be riskier than DNS names. If someone is trying to shut you down, it's easier on their part to pick a specific set of IP addresses and (with cooperation of their respective ISPs) get them shut down or (without said cooperation) firewalled.
    • For a botnet, it's much faster and easier to change your IP address and update a DNS entry, leaving the botnet code alone. If you have to change those hard-coded addresses, you have to not only rebuild and push new code, but update every infected system (and any network admin on a legit controlled network knows that there can be issues with this). With the DNS entry they have a central point to update.
    • I'd not be surprised if Microsoft chose this specific botnet because it had a vulnerability that was within the reach of a court to address

    As others have pointed out, this teaches every other botnet author a lesson on what can be done. The problem ain't solved by a longshot, but maybe the Internet is safe for another night (cue Batman music).

  3. Re:"East European" by fuzzix · · Score: 5, Insightful

    Cheap cop-out.

    You're in a mass-market. You can not expect the majority of users to know anything about computers. You can debate that point all you like, but that's how it is. Saying otherwise is like saying only car mechanics should be allowed to drive cars.

    No, it's more like saying "people should know how to drive before taking their car on public roads"

  4. Re:"East European" by nacturation · · Score: 5, Funny

    The Ukranians, Poles, and Chechs called. They're insulted that you're lumping them in with the Rooskies, and they're rooting your box.

    The insulted Czechs are now rooting your box.

    That explains all the spam. The Czechs are in the mail.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  5. Re:Secret courts, secret orders, ... by Steve+Hamlin · · Score: 5, Informative
    It called a Temporary Restraining Order (TRO). In civil court cases, the Plaintiff can ask the judge to issue a TRO to prevent ongoing harmful conduct that later monetary damages after trial are insufficient to remedy. In other words: "Your Honor, this can't wait until the trial is over." The standards are high, and courts do not do this this without a very compelling set of alleged facts. Requesting Plaintiffs are often required to post a significant cash bond to cover damage to the enjoined party in case the TRO is not, in hindsight, the proper pre-trial remedy.

    In most cases, a court won't issue a TRO without notice to the defendants and a hearing to allow the sought-to-be-enjoined party to response to the Motion for TRO. In some situations, like this, where mere notice might allow the Defendants to further the harm, the court orders the TRO without notice to the enjoined party. The Order allows the Plaintiffs to demand third parties to do or stop doing something for the enjoined party - the first notice to them is when they can't access bank accounts, or their vendor refuses to cooperate, etc.

    The safeguards built into the system are (1) the cash bond, (2) a neutral judge that weighs the likelihood of irreversible damage and proof of the initial allegations against the harm from enjoining a party before a verdict, and most importantly, (3) that these are TEMPORARY. The judge will order a hearing with BOTH parties within (usually) 10 days of the TRO issuance, at which time the Defendants can object, rebut the Plaintiff's allegations, and ask the court to lift the injunction. At that point, it is a dispute between two noticed parties before a neutral court.

  6. not atypical by ericbg05 · · Score: 5, Insightful

    So Microsoft secretly filed a suit against 27 unnamed individuals, and got a secret order taking 277 domain names away from them, all based on a mere accusation.

    Oh, but since we're fighting spam, I guess that's okay.

    Wait until Microsoft starts doing this to go after copyright violations. Will y'all be cheering then?

    My fiancée IAL working in a federal district court. I have mod points, but I guess it's more illuminating to reply than mod down this ridiculous comment.

    Stuff is filed under seal in court all the time. The idea is that you don't want the defendant you're pursuing to know you're pursuing them if there's a high chance they can cover their tracks. You can't just make a "mere accusation" and get a court to do whatever you want. That, of course, would be silly.

    Most judges are really quite reasonable about the decision to keep things sealed. In any event, all the docs will become unsealed relatively quickly -- and if you think the court was *unreasonable*, that they abused their discretion somehow, you can take your complaint to the appellate court.

    Court proceedings are slow, but some crooks (especially intelligent, well-funded crooks) can move fast. This is the balance we've found between thinking things through carefully, and satisfying the public's right to this information, while still prosecuting agile crooks.

    In copyright infringement cases, the plaintiff would probably have a hard time convincing the judge that docs need to stay sealed.

    Believe it or not, the system actually works pretty well sometimes.

    Look, I'm all for an intelligent discussion of the shortcomings of the legal system, of which there are plenty. But you should really try to learn something about it before criticizing it. Otherwise you're just wasting everyone's time.