Waledac is a botnet which was deployed world wide for illegal operations. One of the 10 largest botnets in the US and a major
distributor of spam globally, Survey puts an estimate that Waledac has infected
hundreds of thousands of computers around the world. Waledac is capable of generating about 1.5 billion spam email
messages a day, and is well-known for its online pharmacy, phony
products, jobs, and penny stock spam scams. Waledac is considered to be the second version of the famous Storm. The worm may arrive on the computer as an attachment to spam email or via a link to a malicious Web site says Symantec. WALEDAC built its communication tactic by using an HTTP-based P2P communication network codenamed HTTP2P and uses a complex variation of known technologies, including RSA and AES encryption using OpenSSL, an eXtensible Markup Language (XML)-based message structure, bzip2 compression, and Base64 encoding says Trend micro. Botnets are deployed in a multitier architecture with the command and control center as the node. The CC is connected to, what is called as repeater nodes or tier of the Waledac botnet and is typically composed of infected
computers with public IP addresses reachable on TCP port
80.
As discussed in the earlier articles, botnets are the modern tools preferred by cyber criminals to carryout
a variety of cyber attacks, build on the distributed power of lakhs of
malware-infected recruited computers spread around the world to generate spam, carryout
denial-of-service attacks on selected websites, including malware deployment and management apart from click
frauds and other criminal activities. Waledac was believed to have the capacity to generate about 1.5 billion spam
emails per day. Waledac infection data is presented at sudosecure.net. The enclosed image courtesy blogs.technet and microsoft.com very clearly indicates the levels of infection present in India.
 |
| courtesy: http://blogs.technet.com |
Microsoft's takedown of the Waledac botnet internally
known as “Operation b49” was the culminated effort of months of
cyber investigation. This operation, was considered to be high-profile operation in Microsoft’s joint effort between DCU, Microsoft Malware
Protection Center and Trustworthy Computing – known as Project MARS
(Microsoft Active Response for Security) which was initiated to bring down the botnets deployments as mentioned in the Microsoft's blog. Microsoft requested for a temporary restraining order (TRO) to shut down the malicious domains at the registry level where a TRO is an special remedy to the applicant allowing a party to temporarily stop a perpetrator's harmful conduct without notice and without giving them an opportunity to be heard based on Rule 65 in vogue. The rule 65 allows a party to proceed without notice if it can show (1)
that it will suffer immediate and irreparable harm if the relief is not
granted, and (2) the party attempts to provide the other side with
notice. Refer Microsoft. More information on notice of pleadings are presented here .
Cybersleuths and attorneys at Microsoft's digital crimes unit actually decapitated the Waledac botnet in February by persuading District Court Judge Leonie Brinkema to issue a temporary restraining order to take the 276 domains offline says USA today. This was the first time in history that a court had granted an ex parte TRO forcing a domain registrar to take 277 top-level domains used as C&C entry points for the Waledac bots out of service. Removing these domains, combined with the poisoning of peer lists in the repeater layer of the Waledac botnet, allowed all infected bots to be sinkholed. This was an initiative to undo the privacy intrusions and other damages initiated by the botnets. The take down is one of the toughest with a range of operations including peer-to-peer communication strategies coupled with technical countermeasures, domain-level take closures to disrupt Zombie PC - CC communications between zombie PCs and the command and control servers for Waledac,apart from the conventional physical server take overs.
Cybersleuths and attorneys at Microsoft's digital crimes unit actually decapitated the Waledac botnet in February by persuading District Court Judge Leonie Brinkema to issue a temporary restraining order to take the 276 domains offline says USA today. This was the first time in history that a court had granted an ex parte TRO forcing a domain registrar to take 277 top-level domains used as C&C entry points for the Waledac bots out of service. Removing these domains, combined with the poisoning of peer lists in the repeater layer of the Waledac botnet, allowed all infected bots to be sinkholed. This was an initiative to undo the privacy intrusions and other damages initiated by the botnets. The take down is one of the toughest with a range of operations including peer-to-peer communication strategies coupled with technical countermeasures, domain-level take closures to disrupt Zombie PC - CC communications between zombie PCs and the command and control servers for Waledac,apart from the conventional physical server take overs.
 |
| Courtsey: Microsoft.com |
Operation b49 has effectively shut down connections to the vast majority
of Waledac-infected computers, However FireEye claims that this part of the botnet works with a Zeus variant
that is well-known for rapidly changing command and control(C&C) and Microsoft's operation has not closed down all the Command Control centers.
Waledac is bac. It sniffs user credentials for FTP, POP3 and SMTP accounts as well as stealing configuration files for FTP says Wade Williamson, a senior security analyst at Palo Alto Networks. He also added that the infected computers still had the capability to send out spam, with additional capabilities like stealing passwords and authentication information from compromised systems.
Waledac is bac. It sniffs user credentials for FTP, POP3 and SMTP accounts as well as stealing configuration files for FTP says Wade Williamson, a senior security analyst at Palo Alto Networks. He also added that the infected computers still had the capability to send out spam, with additional capabilities like stealing passwords and authentication information from compromised systems.
--
Dr.B.M
No comments:
Post a Comment