Application security, Malware, Phishing

Waledac demise imminent after shutdown of domains


A federal judge this week ordered the takedown of nearly 300 domains being used to provide instructions to malware-infected computers, a move that effectively incapacitates Waledac, one of the most prolific botnets of all time.

The judge, sitting in U.S. District Court in Alexandra, Va., was responding to a lawsuit filed by Microsoft that asked the court to grant a temporary restraining order to cut off 277 domains being run by the operators of Waledac. The botnet, which began appearing at the end of 2008 as a kind of replacement for the Storm worm, is believed to have infected hundreds of thousands of PCs globally.

"This action has quickly and effectively cut off traffic to Waledac at the '.com,' or domain registry level, severing the connection between the command-and-control centers of the botnet and most of its thousands of zombie computers around the world," Tim Cranton, associate general counsel for Microsoft, said Thursday in a blog post. "Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command-and-control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet."

At its peak, the impact of Waledac was stunning. Microsoft found that between Dec. 3 and 21, more than 650 million spam messages directed to Hotmail accounts were attributable to the botnet.

And researchers at security firm ESET reported last summer that PCs infected with Waledac were capable of sending 6,548 spam emails per hour, or two emails per second. The company found that if, for example, 20,000 computers were infected with Waledac, then the botnet was capable of sending three billion emails per day, if all infected computers were working to full capacity.

André DiMino, co-founder and director of The Shadowserver Foundation, an all-volunteer web intelligence gathering group, assisted Microsoft in its investigation.

"A majority of [the botnet] is under control now," DiMino told on Thursday. "We've known in the security space for a long time that the use of domain names allows these botnets to really entrench themselves. It remains to be seen what happens next. Certainly, it's been significantly disrupted, if not disabled."

VeriSign will be responsible for cutting the cord on the fraudulent domains, and then DiMino's group of 10 will receive the traffic meant for the suspended URLs so they can study it.

"Now that we have those domains, we can start to 'sinkhole' them and enumerate all the drone [compromised] machines and integrate that into the reporting and remediation process," DiMino said.

In other words, Shadowserver can alert those businesses and ISPs whose networks may contain computers infected with Waledac, he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.