About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry WatchThe Technological » Hall of Monkeys » Heroes Banquet)

Microsoft's 'Operation b49'

A pyrrhic victory.


Buy It

Try It

REDMOND (Rixstep) — Microsoft are proud to announce they've succeeded in neutralising a huge Conficker botnet. They did this not by finally getting their security act together but by using their clout in a Virginia courtroom to disconnect 277 domains believed to be responsible for running the botnet.

[Conficker is otherwise known as Waledac but some people don't like the original name with its overtly sexual connotations.]

The Microsoft-stamped court order came through on 22 February. The Conficker botnet was estimated to be one of the ten largest botnets in existence today.

[The astute reader will note that 90% of botnet traffic is still alive and kicking.]

The targeted botnet sent out an estimated 1.5 billion spam messages per day. That's a lot of spam - but ostensibly only the tip of the spam iceberg.

[Try to imagine an iceberg made of frozen spam that's big enough to sink the Titanic.]

Microsoft were particularly hurt by Conficker, reporting that over 650 million spam messages were directed to their Hotmail accounts in just under three weeks in December of last year.

[And here the enlightened on the Internet were innocently wondering if anyone uses Hotmail anymore.]

Operation b49

The secret codename for the takedown was 'Operation b49'. (This shouldn't be confused with the 'B52' which is the airplane that bombs strongholds of enemies of the United States in order to preserve freedom around the globe.) 'Operation b49' was coordinated with NSI who held the records for the 277 domains in question. Now those domains don't resolve. Gosh. Bye bye.

Microsoft boast on their security blog about the coup.

Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of [**censored**]-infected computers, and our goal is to make that disruption permanent. But the operation hasn't cleaned the infected computers and is not a silver bullet for undoing all the damage we believe [**censored**] has caused. Although the zombies are now largely out of the bot-herders' control, they are still infected with the original malware.

Ah yes. So important to realise - 'they are still infected with the original malware'. This particularly for those who only skim headlines and/or brandish a member badge for the NFC Club. The infected computers - yes there are millions of them in this botnet alone - are still infected, ready for plucking. And most likely will be plucked again when the botnet gangs regroup.

The future scenario will be:

  • Gangs set up more ostensibly innocent sleeper domains.
  • Gangs gradually activate the millions of sleeping botnet PCs.
  • Microsoft call out their big guns and send them to Virginia again.
  • Lather, rinse, repeat.

Many security experts are suggesting the takedown could have been more effective if DNS records for all the domains registered by Microsoft were also removed.

Homework

Lesson: hunting botnets with mafiosi legal teams is not the answer. Any number of innocent people can be hurt. Microsoft aren't worrying about collateral damage here - they're worried about their reputation in the face of the ongoing slaughter Zeus trojans are causing, with millions being lost from bank accounts each and every day.

The millions of computers in the Conficker botnet remain infected and can soon be under the control of a new botnet. Microsoft remain incapable of securing their systems - the systems people buy from them in good faith.

Not everything always works out for the best. But if there's any justice then Bill Gates will have to pay class action damages sooner or later. To hundreds of millions of people.

Be patient in the meantime. Your homework tonight: to finally get your live CD.

No one is yet asking for class action suits against Microsoft or other software vendors for the massive outbreaks of bots which are enabled by the lax security models of certain vendors who only respond with reactive not pro-active measures.
 - 'JS'

See Also
Antisource: ZeuS
abuse.ch: Zeus Tracker
Wikipedia: Zeus Trojan
Rants: The Malware Ruse
MDL: Malware Domain List
Prevx: Test Your FTP Logon
Rants: The Microsoft Ghetto
The Technological: Wsnpoem
NetWitness: Kneber White Paper
YouTube: Zeus Bot: Under Watch
Rants: ;DECLARE @S CHAR(4000);
Fortiguard: Zeus: God of DIY Botnets
Rants: Fighting Malware on Windows
The Technological: They Think It's OK
WSJ: Broad New Hacking Attack Detected
NetworkWorld: Malware Infects Space Station
Webroot: One Click, and the Exploit Kit's Got You
NetworkWorld: America's 10 Most Wanted Botnets
Reuters: Zeus Attacks Department of Transportation
ZBot data dump discovered with over 74,000 FTP credentials
Krebs on Security: Zeus Attack Spoofs NSA, Targets .gov and .mil
Hindu News: UAB computer forensics link Internet postcards to virus
Trusteer: Measuring the in-the-wild effectiveness of Antivirus against Zeus (PDF)
Washington Post: More than 75,000 computer systems hacked in one of largest cyber attacks

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.