IT security: Microsoft claims "takedown" of Waledac botnet

Microsoft says that it identified 277 domain names as at the heart of the spamming campaigns. But, say Microsoft, the total number of infected PCs are both very uncertain and, in the great scheme of things, small - somewhere between 30,000 and 90,000.

Microsoft made an application to a US court, ex parte, for an injunction that ordered the disconnection of the domain names.

Microsoft identified the domains by monitoring spam attacks on accounts within its Hotmail.Com service. In this regard, Microsoft is, in effect, an ISP. All ISPs have massive problems in handling extraordinary amounts of spam: it eats bandwidth, which means a cost for the ISP both as it receives the mail and as users download it - e-mail accounts are, generally, unmetered - so ISPs not users bear the cost of spam.

To combat this, ISPs install anti-spam measures - but they cannot set filters too aggressively because spam-filters are not foolproof. That means that non-spam may be caught by spam filters. Those who send important e-mails use a "return receipt" - which increases the volume of mail and therefore cost additional bandwidth. And software filters are not labour-free, leading to additional cost. Of course, there is also a cost associated with processing.

What Microsoft could have done was block all 277 domains from sending mail to users of its Hotmail service - but that means that Microsoft bears the inbound bandwidth cost and the cost of filtering.

ISPs who provide services to users whose PCs are infected also suffer bandwidth cost and, unless they monitor mail closely (many do not) they have no idea that their networks are being abused - or that certain machines are adding disproportionately to their costs.

But by killing the domains, Microsoft has removed the problem at source.

And the reason it chose this course of action becomes obvious: in just 18 days in December 2009, more than 651 million e-mails "including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more" were sent to hotmail.com addresses by the Waledac network. The number attacking other victims is unknown.

Botnets are distributed in three ways "drive-by download" via websites that auto-download malicious code to users machines in the background; users opening (or allowing their browsers to open) self-running code or attachments in e-mails and by downloading and running infected files.According to f-secure.com, this particular malware is spread in an attachment "that is always "ecard.exe" " The subject line was any one of several dozen options but mostly suggesting that there was a Christmas e-card waiting for you if you clicked on the attachment.

The past few weeks has seen a dramatic upsurge in the number of spam e-mails with attachments and the popularity of "rich text" or html e-mail allows the risk that browsers auto-run malicious code.

Microsoft says that its initial investigation showed that many of the infected domains were unused : by that it appears to mean that there was no active website associated with them but it might also mean that it monitored them for possible legitimate e-mail to hotmail users and found them wanting.

But the Wall Street Journal spoke to the only US-based owner of a domain in the order and found that it was a semi-dormant domain. He wants his domain reactivated.

The danger is, of course, that domains run by businesses may be closed without warning - or post-closure notification because e-mail to the domain doesn't work either. For owners of multiple domains, this could mean that a site is down but not noticed for some time if it is site containing static information and is not used for e-mail by its owner. Many businesses register multiple domain names to prevent squatters picking up similar spellings.

Microsoft says, quite reasonably, that it could not give notice of the action because the perpetrators could easily set up an alternative network and re-issue code via its backdoor into the computers.

There is another, technical, option: Microsoft could issue search and destroy code, plus plug exploits, in its periodic updates. But if it did so, without expressly informing users what it was doing it would be accused of installing and running code without authority - and that would be an offence in many countries under laws to prevent unauthorised access to computers.

In its blog, Microsoft says "At Microsoft, we don’t accept the idea that botnets are a fact of life."

Microsoft issued a series of "John Doe" cases, a device for suing persons unknown.

By far the largest number of affected domains were registered with Verisign, either directly or via sub-registrars which is named as a third party.

Other third parties include a number of registrars in China.

It is not alleged that the registrars committed any part of the crime but they were named as third parties so that the Order could be given effect against them.

The Order has effect because:

a) all .com names are, ultimately, registered by Verisignb) the activity has national effect and therefore can be heard in Federal Courtc) that gives the Order, obtained in Virginia, national effectd) the Order therefore covers Versigne) Verisign, as registry, can block any .com domain.

A significant number of registrants are shown as resident in China. Interestingly, many of the registrations, which are (so far as a quick review shows) all different names, most contain two common factors: the registrant's e-mail is given as an address at a free, anonymous service - just like Hotmail; and most contain an identical grammatical error. There are, however, a substantial number, registered through a single registrar, that are identical - and contain sparse and suspicious registrant information.

Microsoft's writ is at here (pdf)

The order is temporary, but will be converted to a permanent ban on 8 March if owners are not able to successfully challenge the action.

Microsoft's Blog says "This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet."

f-secure.com says "If the user executes the worm by double-clicking on the attachment, the worm is installed on the system, saving a copy of itself to the Windows system registry. The worm then amends the registry so that the copy saved on the directory is run during every system startup... Once installed on the system, the worm searches through all files (except a short list) on local and removable drives for e-mail addresses.. The worm then spams copies of itself to the harvested e-mail addresses....Once information has been gathered, it is encrypted and forwarded (using the extension HTM, PNG or PHP) to a remote server." f-secure.com gives a list of IP addresses that f-secure.com says have been hard-coded to Waledac.A, the botnet.