Is the infamous Waledac botnet out of the picture or not?

Microsoft has made some claims about the Waledac botnet that contradict what botnet researchers feel is reality. Michael Kassner attempts to sort it out.

Microsoft has made some claims about the Waledac botnet that contradict what botnet researchers feel is reality. Let's try and sort it out.


The Official Microsoft Blog headline reads Cracking Down on Botnets. In the post, T. J. Campana, an Investigative Consultant with Microsoft Public Sector Services presents Microsoft's intentions:

"Given the recent spread of botnets, we are getting even more creative and aggressive in the fight against botnets and all forms of cybercrime. That's why I'm proud to announce that through legal action and technical cooperation with industry partners, we have executed a major botnet takedown of Waledac, a large and well-known 'spambot'."

Does that mean the Waledac botnet is out of commission? Let's see if we can figure it out.

Waledac's beginning

This story begins with the November 2008 closing of McColo, the control center for several high-profile botnets including Storm. The shuttering of McColo decimated the botnets' command structure.

Out of the ruins, arose a new and stronger botnet called Waledac. The timing and similarities in malware code lead experts to believe Waledac is Storm reincarnated.

Takedown by Microsoft

Now, fast forward to last week when Microsoft decided to take some serious action against the botnet called Waledac. Microsoft's Campana explains what happened:

"A federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot. This action has quickly and effectively cut off traffic to Waledac at the ‘.com' or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world."

That certainly appears to be a good thing. A few problems remain. Experts are questioning the effectiveness of what Microsoft did, as well as how Microsoft characterizes the botnet.

Waledac down or not

I have been getting asked this a lot. Truth be told, I am not sure where Waledac stands right now. Let's look at what the people who chase botnets for a living say. Before I start, Gregg Keizer of ComputerWorld deserves a lot of credit. He has written numerous articles about Waledac. In so doing, he has obtained expert testimony that I would like to share with you.

Botnet authorities feel the software giant did little if anything to stop Waledac, saying that today's botmasters plan for disruptions like Microsoft's. They simply develop multiple methods to phone home. Waledac has three such options:

  • A predetermined list of domain names (Microsoft's attack)
  • A series of hard-coded IP addresses
  • A peer-to-peer protocol

In one of his articles, Keizer asked Joe Stewart, Director of Malware Analysis at SecureWorks and a noted botnet researcher, what he thought. Here is his reply:

"I don't see how you can kill a botnet like this. There's no single point of failure for these botnets."

In that same article, Stewart goes on to say:

"I haven't seen any decrease in [Waledac's] activity. To me, it looks like business as usual."

Terry Zink, author of MSDN's Anti-malware Blog is more retrospective:

"Sometimes you don't have to completely win the battle, you only have to make it too expensive for the bot controller and spammer to shift the cost/benefit ratio into an unfavorable direction."

I get the feeling that Waledac is still in business, even with Microsoft's intervention. It will be interesting to read next month's intelligence reports to see where Waledac fits in the botnet hierarchy.

Microsoft confused?

T.J. Campana in the Microsoft blog made some claims that need to be looked at. He mentioned that Waledac was/is a "large and well-known spambot". I think he means spam botnet.

Anyway, the experts disagree. I just completed an article: The top 10 spam botnets: New and improved. No one counts Waledac as one of the top 10 largest spam botnets. That includes MessageLabs, in their just-released February 2010 Intelligence Report.

Further along in the Official Microsoft Blog, Campana offers these figures:

"Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day."

We now know in the grand scheme of things, hundreds of thousands of bots is not significant, specially, when you consider Rustock, the botnet. It has bragging rights for being the largest botnet, controlling close to two million infected computers.

Next claim

The uninitiated may think 1.5 billion spam email messages per day are significant. But, that amount pales in comparison to other more active spam botnets. In fact, Waledac hasn't been that busy according to MessageLabs.

If you look at the following graph (courtesy of the MessageLabs Intelligence Report), you will see two distinct spikes of Waledac activity, one in January of 2009 and another during January of 2010. Waledac has been quiet during the rest of the time.

Keizer asked Stewart about Waledac's spamming capability:

"Waledac just is not a hugely prolific spammer. So I don't think it's going to affect spam. What it's used for, is to install rogue antivirus software."

My research agrees. Consider Grum, the spam botnet king. Having only 600,000 bots, it still manages to push out 40 billion spam e-mail messages a day.

Final thoughts

Time will tell whether Waledac survives or not. Historically, it doesn't matter. Another botnet will replace it. That is, until we figure out how to prevent computers from being vulnerable to exploits.