Taking Down a Botnet

Waledec was a unique target because it contained both a command-and-control structure, as well as a peer-to-peer communication capability
Waledec was a unique target because it contained both a command-and-control structure, as well as a peer-to-peer communication capability

In December 2009, Microsoft claimed that more than 651 million spam emails were sent to Hotmail accounts from a single culprit: the Waledec botnet. The company had already targeted the botnet for legal action in an effort to break down communications between the army of machines controlled by the network’s herder. By February 2010, Microsoft had successfully obtained a temporary restraining order that severed communication between Waledec-infected machines, but this legal maneuvering is really just part of the tale.

Microsoft, as the story goes, was looking for a new method of confronting online crime. “Bots have really become the criminal infrastructure on the internet”, asserted Richard Boscovich, senior attorney with Microsoft’s Digital Crimes Unit (DCU). “It’s become the delivery mechanism for all types of fraud”, he adds, including identity theft, spam delivery, the fencing of counterfeit goods, and the list goes on.

Not only are botnets being used for nefarious activities, said Boscovich, but they are increasingly being leased out to other criminal syndicates that engage in more spam distribution, scareware schemes, and marketing of other questionable products.

He was quick to point out that, contrary to popular belief, botnets like Waledec do not target operating system vulnerabilities – such as his company’s Windows product – to spread malware infection. Waledec, he said, “was spread through social engineering, primarily through spam”. It was the end users in this case that propagated the infection.

Operation b49

Operation b49, as Microsoft labeled it, was a 10-month effort that placed the Waledec botnet directly in the crosshairs of the company’s industry-wide consortium to combat online fraud. Boscovich acknowledged that Waledec, being neither too big nor too small, was chosen due to its Goldilocks-like manageability.

It was also selected by Microsoft as a target for legal action because the company’s academic partners – among them the Shadowserver Foundation, the Vienna University of Technology, University of Mannheim, University of Bonn, and the University of Washington – had accumulated a significant body of knowledge on Waledec’s structure and operation.

International infrastructure, however, is the main obstacle in combating botnets from the legal perspective. Because they operate across many countries, litigious efforts to take down botnets are, at the very least, extremely complicated.

As Boscovich outlined, the Waledec botnet had a particularly unique structure that made it an interesting legal test case for the company to engage in. “As most bots [do], it has a control-and-command structure, where the bot herder goes ahead and issues commands to the army of infected machines. It also had a backup communication system incorporated into the technology, which is literally more like peer-to-peer.” This backup system, Boscovich said, allowed infected machines to communicate with other computers in the network and receive updates if the herder’s domain was taken offline.

This interesting dichotomy provided Microsoft with an opportunity. The peer-to-peer communication would be addressed by technical personnel at Microsoft in conjunction with its industry and academic partners as a technical countermeasure, while the DCU would go after the domain communication aspect between the network and its command structure.

Laying Down the Law

The operation examined how the Internet Corporation for Assigned Names and Numbers (ICANN) reporting system worked and reasons why it was ineffective for combating botnets. The problem is that if you identify a domain that is conducting illegal activity, it must first be reported to the domain registrar, which then notifies the domain registrant. The ICANN rules for notification and dispute resolution can take weeks, and by the time a domain is determined to be conducting questionable activities and shut down, the bot command structure has sent out new orders to the network, meaning it now communicates with a different registered domain.

“Now you have lost control of the bot”, Boscovich said, adding that now the process must begin all over again. The ICANN reporting system, therefore, presents an endless tail-chasing circle, with unsatisfactory results.

He said that Microsoft needed to find a legal means outside the ICANN dispute resolution process to combat botnets. The answer came in the common law practice of Ex parte temporary restraining orders (Ex parte being Latin for “without notice”). Microsoft and its partners had collected more than 270 .com registry domains it believed to be running Waledec and approached a judge for a temporary restraining order against the domains.

“The company that controls [the .com] registry is VeriSign, which is located in Virginia, hence there is a jurisdictional advantage to doing that”, Boscovich noted. Because the hearing was done Ex parte, Microsoft was able to successfully obtain the restraining order from the judge in Virginia, cutting off communications to the domains without the knowledge of those who registered them.

At the same time, industry and academic research partners who had been studying Waledec “began the process of poisoning the peer table”, said Boscovich. The researchers gave commands to the bots to communicate with a “neutral sink hole” rather than with their peers for further instructions. Finally, the bots lost communication with the bot herder.

This was not the end of Waledec, Boscovich remembered. “We were advised that there were about 20 other additional domains that were registered in China. If those [.com] domains had been allowed to continue, we would have lost control [of Waledec].” Microsoft then contacted China CERT (CNCERT), provided the organization with the original court order details, and it promptly pulled the domains in time to bring down the botnet.

“The operation proved successful in wrestling away control of the botnet from the botherders, said Boscovich. “According to our industry and academic partners, thus far we feel confident that Waledec, in terms of it being controlled by the botherder, is not under its control any more. We think that this novel approach is an approach we can replicate.”

Case Still Open

So, why did Microsoft lead this effort? Boscovich says because it’s good for his company’s clients, good for business, and is just the right thing to do from an online ecology perspective. “We want to help make sure that the online business world is a secure one. It’s a symbiotic relationship. What’s good for business is also what’s good for society in many ways.”

Microsoft was able to temporarily disable Waledec via operation b49, effectively severing infected machines from communicating with its creators. What the maneuver did not do, however, was eradicate the problem entirely. An army of machines infected with the Waledec malware still exists.

In March, Jeff Williams of Microsoft’s Malware Protection Center said that researchers who track Waledec indicated a significant decline in the number of new IP addresses within the Waledec network, prompting him to declare that the botnet is no longer spreading its malware infection to other computers. “While there will likely always be some fluctuations as long as the malware exists”, Williams said, “we must and will continue to work with the security community to stay on top of Waledec over time”.

Is this the end of Waledec? If history is a guide, then likely not. Waledec itself is an offshoot of the old Storm botnet, with links to the team behind the Conficker worm according to many sources in the security field.

Regardless of the long-term effectiveness of this action, Boscovich foreshadowed further developments with respect to Waledec. He would not go into specifics on the matter, only to say that the case has not been closed on the operation and that an announcement is forthcoming.

Boscovich lamented that, as his team of investigators has conveyed, the nature of botnets is evolutionary, and while Microsoft has learned lessons from this takedown that it will carry forward, the criminals they are combating are highly adaptive. He sums up the whole process rather simply: “It’s always basically a cat-and-mouse game with the guys who develop bots.”

What’s Hot on Infosecurity Magazine?