Microsoft, restraining orders, and how a big botnet (waledec) ate curb.

Published: 2010-02-25
Last Updated: 2010-02-26 16:04:39 UTC
by Andre Ludwig (Version: 3)
5 comment(s)

*Disclaimer: The title may not end up being 100% accurate, as parts of Waledec may resurface at some point in time.*

*EDIT: Due to some feedback I received from a few people, I have reworded portions of this diary entry. The main focus and content remains, the semi combative/frustrated/uncouth tone has been hopefully drowned out.  I apologize to those industry partners I work with on a daily basis that I may have upset.*

Microsoft just broke some major ground in the fight against botnets (Waledec in this case) by executing civil legal action against a botnet owner to get 270+ domain names pulled. While this may not sound very sexy or amazing on the surface, it is in my view an extremely important step in the fight against these threats. For the first time an organization that is affected by malicious code has decided to take out a botnet by leveraging the civil legal system, and some of its remedies.

The trouble with Waledec is that all the domains that it used for C2 (Command and Control) were hosted in .com/.net TLD's.Verisign’s policy on these sorts of issues is to only remove domains under court order, which has primarily restricted this sort of action to the realm of law enforcement.  This is the first time that it has been publicly known that an organization has achieved the same results via civil process.  While this stance is understandable from a legal perspective its cost on the overall health of the internet (and peoples financial/mental well being) is rather heavy.  Over the last 3-5 years there has been an increasing number of registry and registrars who have put in place proper abuse mechanisms  (including legal/technical frameworks to deal with the associated liability/political/legal/social issues) to remove malicious domains. Some TLD registries/registrars go so far to proactively monitor their domain space for malicious activity, taking down the sites during the first few minutes/hours of its life.

As the Domain industry has moved towards this sort of self policing (let's not forget, that regulation/policy scares even the mightiest of CEO's), there has been one 900 lb gorilla that has held out.  Within the domain industry the lack of initiative from Verisign has meant a much slower adaptation of these sorts of policies and procedures within the industry.  Several ccTLD’s have leveraged the fact that the largest registry (Verisign) does not have any policies or procedures in place, so why should they?  This lack of leadership by the industries largest player has of course opened up an opportunity for ICANN to play a role in helping the industry along the path of “responsible stewardship” ( ). Granted it is always better to have your peers lead the way than be dragged or coerced to the party by your parents.  Given the sheer amount of technical, management, and I assume legal talent (I don’t know any of their lawyers outside of seeing them at some meetings) Verisign should be one of the thought leaders in this realm. 

If Verisign could find a way to streamline the process of removing malicious domains (notice I'm not saying criminal/illegal), and/or produce (or work with others to produce) a guide or framework on what would be acceptable amount of evidence to present to feed a takedown process I think we would see a large shift in the struggle against cybercrime.   Out of all the Internet registries it is Verisign that is stocked with the most talent, infrastructure, and capabilities to make massive changes in how cybercrime is conducted on the Internet.  The biggest trick is for Verisign to figure out how to do just that in a manner that doesn’t deep six their business model.

Don't get me wrong, Verisign has done a lot of things right in regards to its participation in this sort of activity in the past (Conficker Working Group comes to mind, without their participation the CWG would not have existed). It just seems that they have reserved that ability for the exceptional circumstances like conficker, vs trying to make the big difference in operationalizing this capability. 

Hopefully the entire TLD industry will recognize that a small portion of their legal department's time spent being creative and proactive may save them a whole lot of reputation, as well as possibly opening up new business models and revenue streams.  I find it rather interesting that two of what used to be the most disrespected organizations when it came to security issues (MS and ICANN) are now leading from the front in a full on cavalry charge.

It is my hope that MS has cleared the path to more organizations to leverage this ruling to achieve the same goals. In a perfect world Verisign would simply have in place some of the same (or similar) controls to mitigating malicious domains that others in the industry have produced and shared.

This story isn’t just about legal tales and policy problems inside the domain industry.  There is also a large swath of individuals who spent countless hours and amazing levels of effort to produce the data needed to execute this take down.   As the technically inclined may already know, Waledec has a mult-tiered command and control setup (direct http c2, as well as p2p) which was addressed in this effort as well.  (read below for some reading on the p2p side of Waledec)

So for what it is worth, kudos to Microsoft for leveraging its legal pit bulls for good!

Some of the other groups who participated in this effort are listed below (taken from 

The University of Mannheim
University of Bonn
University of Washington
And a few Nameless others

To remove Waledec from a machine, feel free to use Microsoft's free Malicious Software Removal Tool located at the link below.

You can read more about this at MS’s blog posting
Actual court paperwork can be found here. (interesting read)

Waledec p2p paper/info

The folks over at have a good write up on this, as well as a nice little link to sudosecure's waledec tracker page.

Waledec Tracker (

5 comment(s)

Pass The Hash

Published: 2010-02-25
Last Updated: 2010-02-25 00:25:54 UTC
by Chris Carboni (Version: 1)
0 comment(s)

I've always loved the offensive side of security.  Give me permission and a network to break into and I'm a happy guy.

One of my favorite techniques is the "pass the hash" attack.

Why bother spending precious time cracking a password if you can simply provide the target system what it's already expecting, a hash?

Recent tool advances make this a much easier attack to perform than it has been in the past and it is more likely than ever that attackers are using this technique on your systems.

Bashar Ewaida completed a nice Gold paper on the subject in the Sans Reading Room.

If you're not familiar with this technique, the tools that can be used or how to mitigate the attack, take a look at Bashar's paper.


Christopher Carboni - Handler On Duty

Keywords: hash password
0 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives