Waledac Botnet Now Completely Offline, Experts Say

← Back to Stories (view on slashdot.org)

Waledac Botnet Now Completely Offline, Experts Say

Posted by kdawson on Tuesday March 16, 2010 @07:18AM from the it's-dead-jim dept.

Trailrunner7 writes "After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero. One researcher said that Waledac now seems to be abandoned. 'It looks crippled, if not dead,' said Jose Nazario, a senior security researcher at Arbor Networks."

13 of 91 comments (clear)

Min score:

Reason:

Sort:

When the stars are once again right... by fuzzyfuzzyfungus · 2010-03-16 07:20 · Score: 5, Funny

That is not dead which can eternal lie.

And with strange aeons even death may die.
1. Re:When the stars are once again right... by GuJiaXian · 2010-03-16 07:29 · Score: 5, Funny
  
  If spam was about Cthulhu, I probably wouldn't mind it so much. If spam *is* Cthulhu, well, I'm avoiding the Hormel section at the grocery store from now on.
2. Re:When the stars are once again right... by fuzzyfuzzyfungus · 2010-03-16 07:31 · Score: 4, Funny
  
  "They were not composed altogether of flesh and blood. They had shape...but that shape was not made of matter."
  
  Might want to stay away from the spam...
3. Re:When the stars are once again right... by lastchance_000 · 2010-03-16 07:54 · Score: 4, Funny
  
  In Soviet R'lyeh, spam eats you!
Still however useless by 0racle · 2010-03-16 07:23 · Score: 4, Insightful

question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections
I think everyone knew the answer was, no it will not have an effect on spam levels or malware infections. Oh it succeeded in taking the botnet offline, MS did something real here, but taking just one offline doesn't mean much.

--
"I use a Mac because I'm just better than you are."
1. Re:Still however useless by Volante3192 · 2010-03-16 07:38 · Score: 3, Interesting
  
  Useless in what way? Sure, on a global scale spam is still rampant, but they did show the tactic used has promise and worth pursuing.
  True, we can't say for certain whether the tactic actually cut the head from the body or if operations were just moved to a new botnet and the original Waledac CENTCOM let MS think they had their victory but it's something, which is a little bit more than we had prior.
2. Re:Still however useless by plover · 2010-03-16 07:41 · Score: 4, Insightful
  
  This was a lot larger than taking down a rogue host. This is 1,500,000,000 fewer spams per day on the net.
  Cut out two billion spams here and there and pretty soon you're talking about real effectiveness.
  Sure, they could probably do more, but every journey begins with a single step. Shut down the easy ones first. Pick the low-hanging fruit. Then go back and take down another, and another. At this point it could be all they could get done in a short amount of time, and in any case it's still a good start.
  
  --
  John
3. Re:Still however useless by Alwin+Henseler · 2010-03-16 07:42 · Score: 5, Insightful
  
  As long as the source of the spam/malware problem isn't held accountable, nothing much will change.
  The ultimate source (not cause!) of this problem is of course users that get spam, and then go on to send money to the folks that spammed them. But next in line are those companies that use spam, spread through malware-infected PC's, to sell their products (or sell worthless/dangerous crap, for that matter). Such shady companies should be put out of business, their CEO's thrown in jail ASAP (through whatever -legal- means), and profits confiscated to support the anti-spam operation.
  Focussing on botnets is a good thing, but IMHO useless. Focussing on the folks running them is better, but the next botnet-operator-wannabee will step right in. Instead, efforts should focus on the businesses paying these fuckers.
4. Re:Still however useless by IamTheRealMike · 2010-03-16 08:00 · Score: 5, Interesting
  
  There aren't that many botnets out there. I think most reputable observers peg it at around 6 or 7 big ones, from a spam perspective anyway. So taking one down is actually pretty awesome. Remember when McColo disappeared and spam levels dropped massively overnight? It wasn't that McColo itself pumped out spam, it was that the botnet C&C servers lived there.
  As somebody who actually has to deal with the impacts of large botnets as part of my job at Google, I'd like to congratulate and thank the guys at Microsoft for this victory. Whether it has a noticeable impact on spam or not, it sends a powerful message to people thinking of making their own botnet - it can all end suddenly.
  Building and maintaining a botnet is already pretty hard work .... between AV firms, Microsofts MSRT, users noticing problems and wiping the OS, removals by rival botnets and generally improving PC security botnet building has gone from something every man and his dog was doing to something very few can do well. Hardly any botnets become big. Most abuse I deal with comes in via bots that are apparently being shared or rented out to different (sometimes competing) spammers. That's an encouraging sign.
5. Re:Still however useless by Moryath · 2010-03-16 08:02 · Score: 3, Insightful
  
  Sadly true. Waledac might have been a "mature and no longer really expanding" botnet. Botnets do have a certain shelf-life before they start to die through attrition; either the maker comes up with a new propagation method (virus/etc), or it hits a point and stops really expanding, followed by the slow inevitable decline as machines die, or get reformatted, or get overwritten by a newer botnet. There have been botnets that targeted other botnets for invasion/absorption quite a few times.
  If this can help catch and destroy botnets earlier on, it might be more effective.
  The better goal should, of course, be to make systems (and users) more spam-proof. User education would be a good start, as would home ISP's putting everyone's computers behind a proper NAT rather than using cable modems that expose the user to the naked wild. I've seen more home users who "just put up with" what would seem to be obvious virus/problem behavior merely because they were terrified of having to back up their data or reformat...
Re:MS is more clever? by sopssa · 2010-03-16 07:57 · Score: 3, Funny

Duh, C&C 4 came out today, he's obviously talking about that.
Poor Design by phantomcircuit · 2010-03-16 08:46 · Score: 3, Informative

The only reason this worked is that the botnet was poorly designed. It relied on at least one of the command and control servers being available. If they all get taken down at the same time you destroy the botnet. This is not how most other botnets work, this is not a tactic that worked against this specific botnet and will not work against other botnets.
Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.
Chilling effect by Culture20 · 2010-03-16 09:24 · Score: 3, Interesting

Other botnets generate new domain names fairly regularly. All the botnet controller needs to do is register one of those domains before it is generated. Good luck getting a court order to ban all the generated domains for the next few years.
No problem. Individual court orders should do the trick. After seeing 200+ ISPs going through depeering hell, Hosting providers will be a lot more careful who they let have a server. Of course, this is a less than ideal scenario for IT folk in general (especially because it puts the onus on hosting providers to monitor traffic), but it might be effective.