After Microsoft’s actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero.
One researcher said that Waledac now seems to be abandoned. “It looks
crippled, if not dead,” said Jose Nazario, a senior security researcher
at Arbor Networks.
An analysis of the effects of the Waledac takedown, known internally at Microsoft as Operation b49, by the company and other researchers has shown that Microsoft’s efforts, combined with those of other researchers from universities in Europe, have rendered Waledac toothless.
…early data from Microsoft and other researchers indicate that our
actions have effectively decimated communications within the Waledac bot
network. For example, researchers from the Shadowserver Foundation, the
Technical University in Vienna, University of Mannheim, University of
Bonn and University of Washington have analyzed honeypot data on Waledac
and have observed an effective cessation of commands to Waledac
‘zombies.’ That’s good news because it indicates that Operation b49
effectively severed between 70,000 and 90,000 computers from this
botnet, meaning that those customers are less likely to see rogue
security software pop-ups, malware downloads, outgoing spam and ID and
password theft associated with the Waledac botnet infection.
Waledac was not nearly the largest botnet in operation, nor was it even one of the top spam-producing botnets. It numbered somewhere fewer than 100,000 infected PCs. However, the what stands out about this particular takedown effort, as opposed to other similar operations against Mariposa and other botnets, are both the tactics the researchers used and the effectiveness of the methods.
Microsoft worked with a group of researchers at the University of Mannheim and University of Vienna and elsewhere to identify the key command and control servers, analyze its peer-to-peer communication protocol and work out a plan for putting Waledac down. The plan, which involved working with law enforcement and ISPs to take down nearly 300 .com domains involved in the botnet as well as disrupting the communications among the bots, appears to have worked as designed.
Another key indicator of the botnet’s demise is the lack of newly infected PCs.
“Researchers at Sudosecure who track new Waledac infections have data showing a
dramatic decline in new IP addresses appearing within the Waledac
network, meaning that Waledac is no longer spreading its infection to
other computers. While there will likely always be some fluctuations as
long as the underlying malware exists and we must and will continue to
work with the security community to stay on top of Waledac over time,
the ‘zero new infections’ number reported by Sudosecure as of February
27 is a great indicator of the success of these efforts so far,” Microsoft’s Jeff Williams wrote.