Hackers or a group of hackers, form the basis of botnets, and they carry out various computer security attacks including denial of service attacks, spamming, click fraud, and the dissemination of different forms of malicious software. In operation b49, Microsoft along with supporting experts from Shadowserver, the University of Washington, Symantec and others, were able to shut down Waledac this week.
The Waledec World
The Waledac-WorldMap of influence- The US and Europe were the largest targets
Waledac was one of the largest Botnets in the US. Estimates show that they had the capacity for disseminating over 1.5 billion spam mails per day. On Hotmail alone, Microsoft was able to verify that between Dec 3 and Dec 21 2009, Waledac was responsible for 650 million spam mails which included the usual suspects: offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.
The US was their richest destination for the distribution of their spam, followed by Europe.
How Botnets Work
Botnets are a network of computers that are used to deliver spam and other software to users on the Internet. The computers that are disseminating their cargo have been compromised, some knowingly with the owners in compliance, but more often unknowingly, so the owners may not even know that their computer is used to forward information to other computers on the Internet.
Typically there are several steps to make the botnet work.
- The payload application in this case is the bot, the malicious software.
- The operator of the bot sends out viruses or worms across the Internet which infect ordinary users’ computers.
- The bot hits PC’s and infects them. The PC logs into a C&C server, which could be an IRC server or in some cases a web server.
- A spammer interested in sending out information on their product purchases access to the botnet from the operator.
- Finally, the spammer uses the IRC bot server to send instructions to the PCs, on the bot networkcausing them to send out spam messages to different servers including mail servers.
Botnet Operations
How Microsoft Got Involved
After months of investigation, Microsoft filed an injunction on February 22, 2010 to ask that the Waledac Botnet be prevented from operating. The case was Microsoft Corporation v. John Does, which was a civil action in the U.S. District Court of Eastern Virginia. Following a hearing, a federal judge granted a temporary restraining order thereby cutting off 277 Internet domains believed to be run by the Waledac bot.
After Effects
This effort has cut off traffic to Waledac at the source, the “.com” or domain registry level. This action is the most crucial, for it severs the connection between the command and control centers of the botnet, and its thousands of zombie computers around the world. Additional technical countermeasures have been implemented to downgrade much of the remaining communication at the peer-to-peer command and control level within the botnet has also taken place.
Effects on Windows7 Users
Microsoft is concerned that while it has shut down the botnet, those actions have not removed the malware from users computers. That malware remains. Microsoft has posted a safety guide to help users make sure that they are not infected by this or other botnets; their advice comes from the “protect your PC” document available at http://www.microsoft.com/protect.
Specifically, to remove Waledac software from your computer visit Microsoft’s Malicious Software Removal Tool. This tool checks computers running any of the following operating systems: Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows Server 2003. It checks for infections by specific, prevalent malicious software, Blaster, Sasser, and Mydoom, Waledac, and removes any infection found.
Source: Cracking Down on Botnets
