« December 2009 · June 2010 · September 2010 »

Calendar:

  • 06.04.2010: Shadows in the Cloud: An investigation into cyber espionage 2.0
  • 24.03.2010: See below.
  • No entries for February 2010.
Newest first Oldest first

Wednesday, 24 March 2010

Shadowserver's thoughts on the B49 Waledac Effort

I find it somewhat amusing when I'm asked to describe the *worst* botnets out there. I usually reply by asking "worst in which way"? I believe that you can quantify botnets in three ways:

  • Size as to number of drone machines infected
  • Tangible measurement of the botnet's payload (spam, DDoS, financial theft)
  • Architectural complexity, ie. how deeply distributed or entrenched is the botnet, and thusly involving many different providers, domains, etc.

A great deal of attention is given to these three areas and how certain botnets are "notorious" and "the worst". However, it's only recently that some within the info-sec community are taking an active and more public approach to the problem. This approach is notably in the identification and disruption of the botnet, as well as in remediating the infected hosts. With the Microsoft led "Operation b49" Waledac effort, Shadowserver participated in a coordinated project that involved a great deal of research. The research was not just in how much spam or how *bad* Waledac was, but also to study the long term effects of our actions.

Botnets are becoming more "notorious", and the mainstream awareness of them is certainly growing. As such, new ground must be taken in the analysis, planning, and ultimate impact to the botnet operators. The state of botnets, their reach, and their payloads is a multi-dimensional and complex phenomena. While going after the "biggest" or "most prolific" may make for good press, it's *not* always the wisest or best way to address the problem. The botnet wars must be fought by winning small battles and developing an arsenal of resources that can be used in future battles.

Several resources were added to the arsenal with the Waledac effort:

  • The legal precedent for an 'ex parte' motion that allowed for known malicious domain names to be suspended.
  • Footprinting the entire Waledac architecture, allowing for a significant impact to a botnet topology that utilizes a peer-to-peer component. Typically, the predominant opinion was that if P2P is involved, disruption is highly unlikely.
  • A planned strategy for identification and remediation of the infected drones. This part is important as it directly impacts the unsuspecting computer user that may not even be aware that he/she was part of Waledac.
  • A clear 'shot across the bow' to botnet operators that there is an organized effort now in place to effect disruption and impact to their malicious operations.

So while Waledac was not the *worst* or "spammiest" botnet out there, this effort was not in vain. Success is not measured in the percentage of spam reduced over a weeks time. Success in this arena is in the advancement of the 'arsenal' and in breaking new ground in the analysis and disruption of 'notorious' botnets, no matter how they're defined :)

=>Posted March 24, 2010, at 07:56 AM by Andre' - Semper_Securus