A little love for the Waledac takedown after all

On another corner of the Internet, ThreatPost reports that Microsoft’s Waledac take down a couple of weeks ago did, in fact, have far reaching impact.  While some on the Internet were claiming that Microsoft’s actions had little to no effect, it turns out that others are saying that Waledac appears to be crippled, if not dead:

After Microsoft's actions to take down the Waledac botnet last month, there was some question about whether the operation was much more than a grab for headlines that would have little effect on actual spam levels or malware infections. But more than three weeks after the takedown, researchers say that Waledac has essentially ceased communications and its spam operations have dropped to near zero.

One researcher said that Waledac now seems to be abandoned. "It looks crippled, if not dead," said Jose Nazario, a senior security researcher at Arbor Networks.

An analysis of the effects of the Waledac takedown, known internally at Microsoft as Operation b49, by the company and other researchers has shown that Microsoft's efforts, combined with those of other researchers from universities in Europe, have rendered Waledac toothless.

...early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network. For example, researchers from the Shadowserver Foundation, the Technical University in Vienna, University of Mannheim, University of Bonn and University of Washington have analyzed honeypot data on Waledac and have observed an effective cessation of commands to Waledac 'zombies.' That’s good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection.

Another key indicator of the botnet's demise is the lack of newly infected PCs.

"Researchers at Sudosecure who track new Waledac infections have data showing a dramatic decline in new IP addresses appearing within the Waledac network, meaning that Waledac is no longer spreading its infection to other computers. While there will likely always be some fluctuations as long as the underlying malware exists and we must and will continue to work with the security community to stay on top of Waledac over time, the 'zero new infections' number reported by Sudosecure as of February 27 is a great indicator of the success of these efforts so far," Microsoft's Jeff Williams wrote.

So rather than stopping the spam, the drones are unable to communicate with its central command points, or rather, new commands are no longer being issued.  Indeed, here are some snapshots from Sudosecure’s page:




You can see that on Feb 23, the amount of new IPs drops dramatically.  So, rather than stopping the flow of spam coming out of Waledac, this action by Microsoft may have interrupted Waledac’s ability to refresh itself.  If that’s the case, then it means that the stoppage of Waledac’s spam will slow down over time since the current zombies will finish spewing what they are spewing but will not be issued new commands.

Skip to main content