No love for Microsoft’s Waledac takedown

  • Article

A couple of weeks ago, I wrote on the story that Microsoft had obtained a court order to take down numerous domains associated with the Waledac botnet.  It’s now been a period of time since then, did the takedown actually affect spam levels out of waledac?

According to Spamhaus in a statement granted to ZDNet, it had little effect, if any:

The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.

"The amount of spam coming from Waledac [before the takedown] was less than one percent [of all spam], and that hasn't changed much," said Spamhaus chief information officer Richard Cox. "There's been a slight change, nothing major, and we would expect it to be a lot different."

According to Cox, and Sophos Labs, Microsoft’s targeting of Waledac is odd because it is such a small botnet and accounts for so little traffic:

"I've been chatting to colleagues, and we don't understand why Microsoft took these measures [against Waledac]," said Cox. "There are other botnets, for example Zeus, that do immense harm fraud-wise."

Computer security company Sophos agreed that it had seen no appreciable difference in the amount of spam coming from Waledac after Microsoft's action.

"We can't see a direct correlation between [Microsoft's] takedown efforts and a reduction in spam from Waledac," said Fraser Howard, a principal researcher at Sophos Labs.

In addition, there has been no noticeable reduction in spam volumes overall, according to Howard.

"If the botnet contributed significantly to spam, we would have expected to see a sharp step down in spam volumes," said Howard. "There is no distinct difference between before and after the takedown."

Not everyone agrees that the Waledac takedown was fruitless, though. 

Security company F-Secure said on Wednesday [March 3] it had seen a drop in spam coming from Waledac zombies, and a decrease in the number of binary samples from Waledac-related messages.

"Microsoft might have decapitated [Waledac], it should be interesting to watch," said F-Secure researcher Sean Sullivan.

Sullivan said the ability of the botnet to spread malware may have been severely inhibited by Microsoft's action. From 8 February to 21 February, F-Secure detected 58,913 instances of Waledac malware attempting to circumvent F-Secure security software. After the takedown, from the 22 February until 3 March, F-Secure detected 1,113 instances.

Despite this respite in Waledac attacks, Sullivan said F-Secure would not be surprised to see the botnet come back.

So, according to this article, and some other sources I have talked to, here is the reaction to Microsoft’s take down:

  • Waledac was a small player to begin with
  • The takedown didn’t do much at all
  • Although in some places, it did have a noticeable effect
  • Waledac will be back eventually

The reason for Waledac’s resiliency is that while several domains were taken offline, Waledac also relies on peer-to-peer traffic.  In that regards, it doesn’t matter if a domain is taken down because the nodes are not communicating with it anyway.  Thus, if that is the case, then it suggests that Waledac doesn’t rely on domains for spam distribution and instead uses it for something else, such as pointing to payload in spam.