Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Microsoft, restraining orders, and how a big botnet (waledec) ate curb. SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft, restraining orders, and how a big botnet (waledec) ate curb.

*Disclaimer: The title may not end up being 100% accurate, as parts of Waledec may resurface at some point in time.*

Microsoft just broke some major ground in the fight against botnets (Waledec in this case) by executing civil legal action against a botnets owners to get domain names pulled. While this may not sound very sexy or amazing on the surface, it is in my view an extremely important step in the fight against these threats. For the first time an organization that is effected by malicious code has taken it upon themselves to protect not only their reputation, but the resources and reputations of their customers as well by leveraging the civil legal system.

See the trouble with Waledec is that all the domains that it used for C2 were hosted in .com/.net TLD's. Well verisign is somewhat notorious for only removing domains under court order, no matter how blatant the criminal activity. While this stance is semi understandable from a legal perspective (if you are IMHO a lazy lawyer), it really has little place in the current threat landscape (or even domain industry). Over the last 3-5 years there has been an increasing number of registry and registrars who have put in place proper abuse mechanisms  (including legal/technical frameworks to deal with liability issues) to deal with malicious domains. Some TLD registries go so far to pro-actively monitor their domain space for malicious activity, taking down the sites during the first few minutes/hours of its life.

As this industry has moved towards this sort of self policing (lets not forget, that regulation/policy scares the mightiest of CEO's), there has been one 900lb guerrilla that has held out.  Within the domain industry the lack of initiative from Verisign has meant a much slower adaptation of these sorts of policies and procedures within several ccTLD's (country TLD's) who have used Verisign's as an example .  This has of course opened up an opportunity for ICANN to play a role in helping the industry along (http://www.icann.org/en/announcements/announcement-2-12feb10-en.htm ).  If only Verisign could be made to understand the impact that their acceptance of these processes would have in curbing the rampant flow of criminal activity in their domains. Hopefully the senior leadership will recognize that a bit of their legal departments time in being creative and proactive may save them a whole lot of face.  It is pretty bad when two organizations (MS and ICANN) that have been classically way behind the curve on security related issues are so far ahead of the one organization that prides its self in "selling security" (verisign).   

Don't get me wrong, Verisign has done a lot of things right in regards to its participation in this sort of activity in the past (Conficker Working Group comes to mind). It just reserved that ability for the exceptional circumstances like conflicker. It is my hope that MS has cleared the path to more organizations to leverage this ruling to achieve the same goals. In a perfect world Verisign would simply have in place some of the same (or similar) controls to mitigating malicious domains in its domain space. 

There no doubt will be more details that come forward on the technical aspects of these actions as was not the only party involved in this effort. As those details come out the list of Kudos will no doubt grow to encompass academics, non profits, and commercial organizations. As the technically inclined may already know, Waledec has a mult-tiered command and control setup (direct http c2, as well as p2p) which was no doubt addressed in this effort.  (read below for some reading on the p2p side of Waledec)

So for what it is worth, kudos to Microsoft for leveraging its legal pit bulls for good! Thanks should also be given to those who worked behind the scenes to make this happen with their technical analysis and countermeasures.

To remove Waledec from a machine, feel free to use Microsoft's free Malicious Software Removal Tool located at the link below.

http://www.microsoft.com/security/malwareremove/default.aspx

 

You can read more about this

 http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx

 

Actual court paperwork can be found here. (interesting read)

http://www.microsoft.com/presspass/events/rsa/docs/complaint.pdf

 

Waledec p2p paper/info

http://honeyblog.org/archives/44-Walowdac-Analysis-of-a-Peer-to-Peer-Botnet.html

AndreL

56 Posts
I approve of VeriSign's position, overall. They are known as the registrar that does not play games with domains. They do not take them down for political speech reasons, they don't take them down because they think you might have been naughty. Other registrars do, often without warning or consultation, and I will not use them. If VeriSign thinks they can help in a limited manner on these bot domains, that's great. But if they refuse to do so, that's great too, because VeriSign has reasons for doing so that I support.

Think about the flip side of this coin before saying that VeriSign is 'behind' on anything.
Anonymous
Cant disagree with you on that point. In fact while i was working at Neustar (the first TLD to implement registry level malicious domain take downs) we made absolutely sure to have strong procedures put in place to avoid those sorts of issues. Those mainly revolved around some rather indepth analysis on content and behavior of malware and exploits served up on the site. (as well as background investigations into the site owner, its content, length of time, and even mapping of known vulnerabilities in running software on the site). There is also a distinction between a registry (what verisign/neustar/afilias are) and a registrar (godaddy/network solutions/tucows/etc).

So there is a very large difference between "illegal because i say it is" and "illegal because it is actively harming individuals/companies/organizations".

So yes, this is a very complex issue but it has been demonstrated over the last 3-5 years that it can be addressed with the proper legal frameworks, technical capabilities, and will.
AndreL

56 Posts
"Microsoft ... an organization effected by malicious code"

{chuckle} Is that perhaps a Freudian slip?

http://www.merriam-webster.com/dictionary/effected
John Hardin

62 Posts
Fixed, also spellcheck p0wned my "gorilla".
AndreL

56 Posts
Great post, appropriate use of the bully pulpit.
Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!