Slashdot Mirror
Waledac Botnet Now Completely Offline, Experts Say
Trailrunner7 writes "After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero. One researcher said that Waledac now seems to be abandoned. 'It looks crippled, if not dead,' said Jose Nazario, a senior security researcher at Arbor Networks."
That is not dead which can eternal lie.
And with strange aeons even death may die.
I think everyone knew the answer was, no it will not have an effect on spam levels or malware infections. Oh it succeeded in taking the botnet offline, MS did something real here, but taking just one offline doesn't mean much.
"I use a Mac because I'm just better than you are."
Its dead Jim.
If I were God, wouldn't I protect my churches from acts of me?
Waledac will be back... as SkyNet.
I think it was "Zed's dead, Baby, Zed's dead"
A court order to remove domain name registrations could certainly be permanent. Even if it was a theoretically legitimate action (not the case here) since you have to re-register every year anyways, it's effectively a $5 loss to lose a domain permanently.
What MS should do is to re-register the domain names and point them to a C&C server they host. Then they have a wild botnet in a cage to be researched until they can find the best way to eradicate the thing, and others like it.
Or else command it to DDOS their foes. MWAHAHAHA!
Welcome to the Panopticon. Used to be a prison, now it's your home.
Competitors? More like it kicked a parasite off its back.
What MS should do is to re-register the domain names and point them to a C&C server they host
What kind of C&C server? Red alert? Tiberium wars? I prefer a Generals C&C server myself...
Do not look at laser with remaining good eye.
The bloody botnet operator's and malware author's ? Isn't this like fighting the symptoms instead of the cause ?
It's restin'.
Duh, C&C 4 came out today, he's obviously talking about that.
My spam folder's had much less in it for about a week now. I don't know how much of this was caused by bringing down this one botnet, but it must have had some effect, all of it good.
Good, inexpensive web hosting
Just like it's maker if he made contracts with the wrong people.
Cwm, fjord-bank glyphs vext quiz
Oh, this must be why my spam messages went from over 300 per day, down to just around 20-30 in the past couple weeks. Here I thought Gmail improved their spam filters.
I'll never bemoan a success in the victory against cybercrime, but it would be nice if one of these announcements came against a botnet that was still relevant and sending out large amounts of spam like Rustock. When the trumpet was sounded by Microsoft about the death of the Storm botnet, it was about 18 months since it had been highly relevant.
As others have said, shutting down individual botnets doesn't have long-term effects. That lesson was learned when McColo was taken offline.
Since the only responses you have at the moment are smart-ass, I'll respond seriously.
While I'm unsure of the specifics of this particular botnet, most of the big current botnets cryptographically sign commands, and ignore any that don't validate. Which means that unless there's a flaw in whatever encryption they used, there's nothing that approach would do other than waste money on domain name registration.
... it's pining for the fjords!
There is a war going on for your mind.
Now they want to kill spam and viruses. Sheesh. I thought they were all about generating jobs, not killing them. If they keep killing botnets and viruses and stop creating widely-deployed web browsers and operating systems with no reliability and security, who's going to keep paying us to keep fixing these things all the time? Tell them to bring back win98 and the com2: irq conflicted dial-up modems. That was great, generated tech calls all day long. At least we have usb, fast-mutating, and browser-installed viruses now.
Build your own energy sources from scratch. http://otherpower.com/
That's why I said "research". When you take possession of a house after foreclosure or seizure, sometimes you have to take some time to pick the locks.
The bots will contact their C&C servers. Find one a bot that you can get client-side access to. Study the malware from both ends. Reverse-engineer the crypto.
At a minimum, there's a list of bot clients you can work thru to de-fang and clean up.
Welcome to the Panopticon. Used to be a prison, now it's your home.
They could spread the "windows" virus and take over all computers in the world and make them reboot all the time! oh they already did that.
Build your own energy sources from scratch. http://otherpower.com/
The only reason this worked is that the botnet was poorly designed. It relied on at least one of the command and control servers being available. If they all get taken down at the same time you destroy the botnet. This is not how most other botnets work, this is not a tactic that worked against this specific botnet and will not work against other botnets.
Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.
FROM: MUYIWA IGE
.He told me he deposited a trunk
box containing us$25.5m with a security in EAUROPE(UK)
all in the aim of retrieving it himself before he was
finally killed before the christmas. According to him
the content of the box was registered as government
classified papers with his influence and was moved out
of my country through diplomatic courrier.He wanted to
safeguard the funds for foriegn investment after his
retirement before he was killed.
ATTN.: sir,
I got your contact through email business directory and decided to send my proposal to you. I am MUYIWA IGE the first son of the late chief BOLA IGE,the attorney general of th e fedeal rebulic of Nigeria who was killed by hired assasin on the 23rd of december 2001 by an unidentified gun men believed to be link to our government of which it is a daily case going on in my country;s dailies now.
Two months ago he was attempted to be murdered but unfortunately God speared his life for us.It was then he had to reveal some vital informations as regards his life to me before he was finally killed in december. All accounts belonging to my father both local and abroad had been frozen and his investments seized by the government believing in thier false allegation that he made away of $2 billion dollars of (NEPA)national electricity power authority of which i know is just a ploy to eliminate him by the people in power that he is fustrating thier evil intentions through the human right pubic hearing for violation of right and cruelsome killings during the military regime to carry out thier traits to suffer the mases for thier selfish interest instead of the interest of the nation.We are now in a dileman as ou live are in danger till after the investigations.
Two weeks to the christmas holiday in 2001 being on the 4th of december,my dad spoke to me at lenght about life and it realities
In the light of this as the next of kin i am now contacting you a foreigner to assist ME in retrieving the boxes and depositing of the fund into your foreign account hence the need to contact you. I and my mother had agreed to give you 30% of the fund for your assistance and 10% for any expenses you might incur in the course of this transaction, we want to believe that you will not sit on the money when paid into your account. I want you to understand that there is no risk involve as we have worked out modalities for the smooth actualization of this goal. The boxes presently is in a security vault of this company in their offshore office in SPAIN.i will require the following for effecting the documents of claim and identification.:
1] Your driving license to assure us of your person
2] Your private telephone and fax numbers.
I will send the following:
3] The receipt of the ware bill used in sending the boxes
4] The deposit certificate
All these will be send through YOUR FAX NUMBER then you will proceed for claim after due schedule with them.you
I wish to state here that we are left with nothing as we survive by the grace of God. I hope you understand our predicament so as to save me and my family from hopeless future (S.O.S.)
All contacts for now should be through my personal email address for security reasons.
Waiting your urgent response.
Best regards,
MUYIWA IGE.
MY PERSONAL EMAIL
ADDRESS(muyiige@mail.com)ALTERNATIVE RESPONSE
The spammers using this botnet most likely cut it off to work on enlarging another.
Why waste time(read money) repairing something broken when the new, harder to kill version does the same thing in the same time-cost?
Modern day crypto is not your grandfathers cesarean cipher. One does not simply "reverse engineer RSA" which is undoubtably what they are using if they are smart.
Strike that, "which is undoubtably what they are using if they possess the knowledge of your average freshman CS major". It's not exotic stuff.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.
No problem. Individual court orders should do the trick. After seeing 200+ ISPs going through depeering hell, Hosting providers will be a lot more careful who they let have a server. Of course, this is a less than ideal scenario for IT folk in general (especially because it puts the onus on hosting providers to monitor traffic), but it might be effective.
Dear Sir or Madaam:
My name is John Waledac. I am the designer and owner of a profitable spam company. Recently, my company has fallen upon hard times as several of our servers have broken down. We have the funds to replace these servers, but it will take several weeks to transfer the funds from our bank in Nigeria. This delay could cost our company thousands of dollars. This is where you come in. I am seeking investors to loan up to $100,000 for the purchase of new servers. When the funds from Nigeria arrive you will be reembursed with 20% interest. This whole process should be fully accomplished within 25-30 working days, further information will be given to you as soon as I receive your positive response via e-mail or telephone. If you are interest urgently reach me through the above stated email,telephone numbers to enable me give you the full details of this transaction and how it is going to work out. If you decide to invest I need you to send me
1. Your Name and Address
2. Your Telephone Number
3. The Amount You Wish to Invest
4. Your bank account number
Sincerely,
John Waledac
Tel:011234-8035647626.
NB: Kindly send further correspondence to jwaledac@fastermail.com
Again, you have access to both endpoints. For instance, you have a credible chance at cracking it if you can monitor cleartext in the process space of the client system.
Or, you know, maybe not, since teh evil h@x0rs are so 1334. Maybe we should all just surrender now and put in our recurring purchase order for herbal v1@gra or whatever.
Feh. Botnet takeover is a historical fact. It may be an arms race, but there will always be a defender response. And don't forget the classic anti-DRM mantra: in some place, at some point in the process, cleartext must exist. That's where the system is vulnerable and crackable.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Sure my spam folder always has shit in it, but really none of it ever makes it through Googles spam filters into my inbox.
Morpheus, God of Dreams.
Oh, nice amount of talking without knowing anything here. I suggest you take a look at Public-key cryptography. There is no way you're going to crack such + RSA by "monitoring cleartext". If you do, and sure let us know when that happens, you're just pwned every single government, bank, company, telecommunications line and Internet in the world.
The security of any good cryptosystem must rest solely on the secrecy of the key, not the secrecy of the implementation details. This is Cryptography 101 stuff here, you can't just "capture the enemy enigma machine" and call it a day anymore. Read that link I gave you before you make yourself look even more of a fool.
The bots presumably have a copy of the public key and will only listen to commands signed by the private key. Only the original command server has the private key, given the public key you cannot determine the private key in any realistic amount of time. Not a challenging concept. This isn't defeatism, it is reality, and no amount of wishful thinking is going to change that.
This has absolutely nothing to do with DRM, but you cannot possibly understand why not unless you get some basic facts right so go do so.
Here, I'll even get you started with some more links:
http://en.wikipedia.org/wiki/History_of_cryptography#Modern_cryptography
http://en.wikipedia.org/wiki/Public-key_cryptography
The short story is, this isn't about not knowing the plaintext (we already know it if we care to know), this is about convincing the bots you are the real command server, which you cannot do without the private key, which you cannot get. Thus: absolutely no point in pretending to be the command server.
There is no excuse for spouting your mouth off without knowing what you're talking about when there are so many excellent sources of information right at your fingertips. You should be ashamed of yourself.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Tell me you took down the Zeus botnet, then I will say you accomplished something, but of course the least dangerous botnet will be easier to take down, even the script kiddies know to cycle their botnets, and out with the old in with the new. So what if the botnet you took down is old and degenerate and has almost no spam left attached to its name, you can still make a name for yourself by taking it down, right?
I don't normally respond to arrogant tards, but I'll make an exception in your case.
The plaintext you're looking for is the private key. This is a fully automatic system, so the key has to be stored someplace. If you own both endpoints, you almost certainly own the keystore. If the keystore is protected, the passphrase (or equivalent) to open it is also stored someplace in the clear (or obfuscated, which is reversible).
Got it?
Now, admittedly, if the keystore is on a third server someplace, it becomes harder, but since the private key has to be IN THE CLEAR in order to use it for signature purposes, if you can monitor process space you can find it.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Your terminology is all fucked up because you still have not bothered to research what you are talking about. Keys are keys, plaintext is plaintext, and ciphertext is ciphertext. Do not confuse them.
But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.
If by 'in the clear' you mean 'in some guy's head', then you might be right.
Of course it is.
You only use the public key for verifying the signature. You can know that all you want and it won't get you anywhere. The private key is used to create signatures on a machine you do not control.
Your original proposal:
Is absolutely worthless. You don't have the private key used to sign commands, so pretending to be a command server gets you shit.
If you can manage to get the private key, then that obviously means you have access to the machine used for signing commands, and the original command servers. In that case "re-register the domain names and point them to a C&C server they host" is once again absolutely pointless.
Seriously man, just go do some preliminary reading or something. It won't be an admission of defeat, I will never even know you did so. Read wikipedia and walk away from this discussion a smarter man, leaving me to think that I was unable to reach you.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
By endpoint, I assume the GP poster means not the C and C servers, but the bot-herder's personal PC with the private key. The one he uses to sign the commands. That is indeed one place the system is vulnerable. The other is that there may be a security vulnerability in the bot implementation that would permit an unauthorized connection to take over the bot, perhaps via buffer overflow or something. Y'know, the "endpoints."
Yes, if he thought that the C and C servers contain the private key, he's very much mistaken.
John
I just checked spamcop stats page, we had a few quiet days but everything is back to normal, thanks for coming.
I prefer Classic Slashdot.
But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.
THUMP. THUMP.
That's my forehead on the desk. You're right, the good guys don't have access to the real C&C server. Therefore, the command signing process can't be spied. Therefore, there's no way to spoof valid signed commands.
I lost track of the "not owning the real server" issue. That's what happens when you fall in love with an idea; love is blind.
So, lacking any weaknesses in any client bot you can get hold of, the best you can probably do is to note clients as they try to contact the spoofed server and get notification out to the owner of the botted machine. For a quarter-million nodes, that's a lot of work.
UPDATE: Looks like honeynet.org thinks there is an unspecified weakness in Waledec's crypto methodology, and payloads can be decrypted. I don't know if that's enough to step into the place of the real C&C network, though.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I know. I was just being supportive of "idontgo", because he sounded like he was claiming people would "reverse engineer" RSA, which is ridiculous. I'm sure he must have meant something else.
However, there is a potential vulnerability in what he's saying (even if he's saying it wrong.) The vulnerability is in the zombies. The zombies have to phone home to register. How does the C & C server know if it should trust a zombie? Is it susceptible to some kind of protocol exploit (a buffer overrun, a malformed URL, etc.)? While it won't ever have the private key, it might cough up a list of zombies.
John
Just because someone pinged me in this thread, I want to point out the different machines involved:
If the botnet is operated by a gang, there may be more than one copy of the master. But each master has to be carefully guarded.
Sure, you can decrypt the instructions at a specific node. You can connect to the C&C server and try to inject your own instructions. The C&C server probably won't even accept them if their signature isn't valid. And no zombie will execute those instructions without first checking their signatures.
John