Microsoft to target other botnets with legal weapon
Last week, Microsoft claimed it had grabbed control of more than 60,000 bots in the Waledac collection after the court order shuttered the 277 targeted domains. Several security researchers, however, questioned whether the tactic would cripple Waledac, or even disrupt its activities, since hackers have multiple mechanisms for passing commands to machines infected with Waledac.
As a fall-back, Waledac bots can communicate to their controllers "indefinitely" using IP (Internet Protocol) addresses that are hard-coded into the bot Trojan, SecureWorks' Stewart said last week.
Campana acknowledged those alternate command-and-control links within Waledac, and said Microsoft is attacking those as well. He declined to provide details of what Microsoft was doing, or when -- or even if -- the Waledac bots would be unreachable by their makers. "In addition to the legal action against the domains, we have taken other technical measures," said Campana. "At this point, we're still working that angle and actively adapting our measures."
Several message security and spam filtering companies and organizations, including Google's Postini and the U.K.-based SpamHaus, also disputed Microsoft's claim last week that Waledac was a "major distributor of spam" and that crippling it would reduce spam.
Symantec's MessageLabs also weighed in on the impact issue, and like other vendors, downplayed Waledac's significance. "There's been no real noticeable effect of the takedown," Matt Sergeant, a senior anti-spam technologist with MessageLabs, said in an e-mail. "It's one of the smallest botnets out there, and the court order appears to have had very little effect on its output."
Microsoft countered, saying it's too early to gauge its anti-Waledac moves. "We're still looking at the impact this has had," said Campana, referring specifically to the monitoring Microsoft's doing of the volume of spam addressed to Windows Live Hotmail accounts. "It's somewhat premature to say 'yay or nay' yet." The next one or two weeks will tell the tale, Campana agreed.
But Boscovich would not promise that Microsoft would make Hotmail spam data public. "We'll look at that [decision] fairly soon," he said.
It isn't the first time that Microsoft has said it has crippled a botnet built by this group of hackers. In April 2008, the company took credit for crushing the Storm botnet -- Waledac's predecessor -- saying that the malware search-and-destroy tool it distributes to Windows users every month disinfected so many bots that the hackers threw in the towel.
As with the Waledac take-down, researchers at the time disputed Microsoft's claim that it had beaten Storm into submission.
Campana urged Windows users to run the Microsoft-made Malicious Software Removal Tool (MSRT) to scrub Waledac from infected systems, and up-to-date anti-virus software to keep it off still-clean machines. "This is definitely a preventable issue," he said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts