A recently reworded post on Microsoft’s attempt to pursue malware distribution in the courts makes it appear that something permanent and substantial has happened in anti-malware efforts (demonstrated by a legal and collaborative effort called “Operation b49″ to takedown Waledac C&C domains). Because of the complications (legal and otherwise) delaying server and domain takedowns, it’s great to see this botnet’s well-known command and control server domains pursued by the powerful legal team. On the other hand, in the meantime, users’ systems continue to be infected with Waledac. And much like the FakeAv organizations and the “John Doe” defendants that Microsoft has filed against in the courts in the past, cybercriminals herding Waledac most likely will pick up and continue to operate in the shadows beyond the reach of law enforcement — the domains and malware most likely will change to evade the takedowns pushed by their court approach. It’s a situation that has been described as “wrestling with a pig”.
In the meantime, the best way to protect yourself is with the latest install of ThreatFire. From our statistics in the ThreatFire community, we see that Waledac binaries continue to attack systems on a daily basis as a bump on the “threat landscape”. The ISC’s post title mistakenly implies that Waledac is not infecting system’s on a daily basis because the group’s “Storm-like” spam campaigns of 2009 have discontinued and because a specific list of domains have been removed, but in fact, Waledac binaries like these are attacking systems on a daily basis. For instance, over the past few days, workstations in the ThreatFire community were attacked by and protected from Waledac in the US and parts of Europe.
Anyways, the ISC handler’s post was an interesting writeup and description of past problems in takedowns (current collateral damage described here), and “Operation b49” adds another strong effort and collaboration to clean up the wild wild web. Cheers to that. Let’s hope that the Waledac bot distributors and botnet operators are worn down with the new strategy while watching their C&C servers becoming unreachable. We’ll monitor the bot’s distribution over the next few weeks and post results. Hopefully, the group is worn down for good.
View full post on ThreatFire Research Blog
Related Posts
- “Download photoalbum” another variant of “i got u surprise”
Previously we have written about the "i got u surprise" spam trojan on Facebook. And today, we still discovered another variant. This time, the message that is received by the victim is only "u?" and ... - Waledac wakes up after 7 days of sleep
Waledac appeared in a new version in the last days of 2010, sending out big amounts of New Year related spam messages. It then stopped spamming in the evening of January 4th.
On Tuesday morning a new... - Kelihos and Waledac- Separated at Birth?
In another instance of malware utilizing holiday-themed spam emails, our researchers had the opportunity to review in detail the threat we call Backdoor:Win32/Kelihos.A. An interesting aspect to this... - A Waledac New Year to You
A new variant of the infamous Waledac worm has come to light due to our friends at Shadowserver.com. Symantec detects this variant as W32.Waledac.B. The Modus Operandi used in this Waledac campaign h... - Android software piracy rampant despite Google’s efforts to curb
Pirating Android apps is a long-standing problem. But it seems to be getting worse, even as Google begins to respond much more aggressively.
View full post on Computerworld Security News... - Strategy to Take Over ‘Waledac’ Botnet Nears Completion
A federal judge said Thursday that the he would allow Microsoft to seize 276 domains controlled by the Waledac botnet unless the worm's creators themselves came forward.
View full post on P... - An Update on Operation b49 and Waledac
Those of you who read an earlier post of mine know about Operation b49, our work to take down the Waledac botnet. For those who don’t, I will summarize by saying that Microsoft’s Dig... - WALEDAC Still Spreading via Malicious Attachments
Back in February, the infamous WALEDAC botnet had been shut down with the takedown of its command-and-control (C&C) servers. However, in recent weeks, it seems to be making a comeback of sorts.
In... - Will Fed Intervention Curb or Protect Your Digital Freedom?
Considering the high-tech industry's expanding reach into everyday consumer life, it should be no surprise that Washington, D.C. has taken a closer look at the Internet economy of late.
View full p... - ebnvnos.com – Flash and Java vulnerabilities in the wild – Waledac – part 0
The domain ebnvnos.com it seem related to once of the spreading stage that exploit something about Adobe Flash Player and Java. The following usually robtex screen shot help to know a bit more about i...
Posted on 02 May 2010. Tags: Curb, Waledac
