Microsoft, restraining orders, and how a big botnet (waledec) ate curb.

Published: 2010-02-25. Last Updated: 2010-02-26 16:04:39 UTC
by Andre Ludwig (Version: 3)
5 comment(s)


*Disclaimer: The title may not end up being 100% accurate, as parts of Waledec may resurface at some point in time.*

*EDIT: Due to some feedback I received from a few people, I have reworded portions of this diary entry. The main focus and content remains, the semi combative/frustrated/uncouth tone has been hopefully drowned out.  I apologize to those industry partners I work with on a daily basis that I may have upset.*

Microsoft just broke some major ground in the fight against botnets (Waledec in this case) by executing civil legal action against a botnet owner to get 270+ domain names pulled. While this may not sound very sexy or amazing on the surface, it is in my view an extremely important step in the fight against these threats. For the first time an organization that is affected by malicious code has decided to take out a botnet by leveraging the civil legal system, and some of its remedies.

The trouble with Waledec is that all the domains that it used for C2 (Command and Control) were hosted in .com/.net TLD's.Verisign’s policy on these sorts of issues is to only remove domains under court order, which has primarily restricted this sort of action to the realm of law enforcement.  This is the first time that it has been publicly known that an organization has achieved the same results via civil process.  While this stance is understandable from a legal perspective its cost on the overall health of the internet (and peoples financial/mental well being) is rather heavy.  Over the last 3-5 years there has been an increasing number of registry and registrars who have put in place proper abuse mechanisms  (including legal/technical frameworks to deal with the associated liability/political/legal/social issues) to remove malicious domains. Some TLD registries/registrars go so far to proactively monitor their domain space for malicious activity, taking down the sites during the first few minutes/hours of its life.

As the Domain industry has moved towards this sort of self policing (let's not forget, that regulation/policy scares even the mightiest of CEO's), there has been one 900 lb gorilla that has held out.  Within the domain industry the lack of initiative from Verisign has meant a much slower adaptation of these sorts of policies and procedures within the industry.  Several ccTLD’s have leveraged the fact that the largest registry (Verisign) does not have any policies or procedures in place, so why should they?  This lack of leadership by the industries largest player has of course opened up an opportunity for ICANN to play a role in helping the industry along the path of “responsible stewardship” (http://www.icann.org/en/announcements/announcement-2-12feb10-en.htm ). Granted it is always better to have your peers lead the way than be dragged or coerced to the party by your parents.  Given the sheer amount of technical, management, and I assume legal talent (I don’t know any of their lawyers outside of seeing them at some meetings) Verisign should be one of the thought leaders in this realm. 

If Verisign could find a way to streamline the process of removing malicious domains (notice I'm not saying criminal/illegal), and/or produce (or work with others to produce) a guide or framework on what would be acceptable amount of evidence to present to feed a takedown process I think we would see a large shift in the struggle against cybercrime.   Out of all the Internet registries it is Verisign that is stocked with the most talent, infrastructure, and capabilities to make massive changes in how cybercrime is conducted on the Internet.  The biggest trick is for Verisign to figure out how to do just that in a manner that doesn’t deep six their business model.

Don't get me wrong, Verisign has done a lot of things right in regards to its participation in this sort of activity in the past (Conficker Working Group comes to mind, without their participation the CWG would not have existed). It just seems that they have reserved that ability for the exceptional circumstances like conficker, vs trying to make the big difference in operationalizing this capability. 

Hopefully the entire TLD industry will recognize that a small portion of their legal department's time spent being creative and proactive may save them a whole lot of reputation, as well as possibly opening up new business models and revenue streams.  I find it rather interesting that two of what used to be the most disrespected organizations when it came to security issues (MS and ICANN) are now leading from the front in a full on cavalry charge.

It is my hope that MS has cleared the path to more organizations to leverage this ruling to achieve the same goals. In a perfect world Verisign would simply have in place some of the same (or similar) controls to mitigating malicious domains that others in the industry have produced and shared.

This story isn’t just about legal tales and policy problems inside the domain industry.  There is also a large swath of individuals who spent countless hours and amazing levels of effort to produce the data needed to execute this take down.   As the technically inclined may already know, Waledec has a mult-tiered command and control setup (direct http c2, as well as p2p) which was addressed in this effort as well.  (read below for some reading on the p2p side of Waledec)

So for what it is worth, kudos to Microsoft for leveraging its legal pit bulls for good!

Some of the other groups who participated in this effort are listed below (taken from honeyblog.org). 

The University of Mannheim
University of Bonn
University of Washington
ShadowServer
Symantec
And a few Nameless others


To remove Waledec from a machine, feel free to use Microsoft's free Malicious Software Removal Tool located at the link below.
http://www.microsoft.com/security/malwareremove/default.aspx

You can read more about this at MS’s blog posting
http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx
 
Actual court paperwork can be found here. (interesting read)
http://www.microsoft.com/presspass/events/rsa/docs/complaint.pdf

Waledec p2p paper/info
http://honeyblog.org/archives/44-Walowdac-Analysis-of-a-Peer-to-Peerhoneyblog.org/archives/44-Walowdac-Analysis-of-a-Peer-to-Peer-Botnet.html-Botnet.html
 

The folks over at honeyblog.com have a good write up on this, as well as a nice little link to sudosecure's waledec tracker page.
http://honeyblog.org/archives/52-Waledac-Takedown-Successful.html

Waledec Tracker (sudosecure.net)
www.sudosecure.net/waledac/index.php

5 comment(s)

Comments

I approve of VeriSign's position, overall. They are known as the registrar that does not play games with domains. They do not take them down for political speech reasons, they don't take them down because they think you might have been naughty. Other registrars do, often without warning or consultation, and I will not use them. If VeriSign thinks they can help in a limited manner on these bot domains, that's great. But if they refuse to do so, that's great too, because VeriSign has reasons for doing so that I support.

Think about the flip side of this coin before saying that VeriSign is 'behind' on anything.
Cant disagree with you on that point. In fact while i was working at Neustar (the first TLD to implement registry level malicious domain take downs) we made absolutely sure to have strong procedures put in place to avoid those sorts of issues. Those mainly revolved around some rather indepth analysis on content and behavior of malware and exploits served up on the site. (as well as background investigations into the site owner, its content, length of time, and even mapping of known vulnerabilities in running software on the site). There is also a distinction between a registry (what verisign/neustar/afilias are) and a registrar (godaddy/network solutions/tucows/etc).

So there is a very large difference between "illegal because i say it is" and "illegal because it is actively harming individuals/companies/organizations".

So yes, this is a very complex issue but it has been demonstrated over the last 3-5 years that it can be addressed with the proper legal frameworks, technical capabilities, and will.
"Microsoft ... an organization effected by malicious code"

{chuckle} Is that perhaps a Freudian slip?

http://www.merriam-webster.com/dictionary/effected
Fixed, also spellcheck p0wned my "gorilla".
Great post, appropriate use of the bully pulpit.

Diary Archives