*Gosh, it's handy that American courts can secretly shut down Internet domains. Great hack! Imagine if you were a Chinese court, and you wanted to secretly shut down a few hundred criminal Internet domains. Why, I bet that Chinese, Russian, Arab, Israeli, Pakistani, Indian, Georgian, Estonian, and Ukranian officials are contemplating those prospects right now.
*Good thing they still lack the Internet clout of the Big Blue Monster! Maybe the only guys in the world who have literally stalked and killed-off a botnet!
Judge's restraining order takes botnet C&C system offline
By Peter Bright | Last updated February 25, 2010 4:58 PM
Botnets—large networks of malware-infected PCs remotely controlled by criminals—are a serious problem on the Internet. The spam, phishing attacks, and malware that these networks send accounts for a massive proportion, in excess of 80 percent, of e-mail traffic. One such network, known as Waledac, has been stopped in its tracks after Microsoft got a court to issue a secret temporary restraining order. The restraining order took 277 domain names used by the criminals to communicate with the botnet offline. Without these domain names, it is hoped that the controllers of the botnet will permanently lose access to the machines running their malware.
The Waledac botnet is presumed to be run by Eastern Europeans (((although one rather imagines that dozens of flourishing crooks around the planet are staring at their screens this morning and muttering "what the hell"))) and to be made up of hundreds of thousands of compromised machines. It sends hundreds of millions, if not billions, of e-mails each day, as well as distributes malware to help recruit new machines to the network.
Microsoft's complaint describes in detail how the botnet is organized, with a complex hierarchical control system. At the root of the system is the command-and-control servers. The botnet uses the 277 domain names to connect to the command and control servers to download new commands. These commands are then distributed through the different tiers of the network using peer-to-peer transmission.
By obtaining the restraining order, this command-and-control system was disrupted; with the domain names offline, the machines in the botnet were no longer able to locate their control servers, rendering them mostly harmless. The court action had to be taken in secret to avoid warning the botnet's operators; with sufficient warning, they might have been able to set up new domain names and new control systems, thereby circumventing Microsoft's efforts. The names have now been offline for three days, presumably sufficient to cause permanent disruption, and the injunction is now public.
Similar action against past botnets has been attempted by security researchers before, but the results were only temporary as new command and control servers were set up. Microsoft's intent is for this action to be more permanent. "Operation b49," as Redmond has called it internally, still has further work to do to ensure that the peer-to-peer communication between computers in the botnet is disrupted.
This is critical if the mission is to be successful; the company notes that the operation is not a "silver bullet," as it does not remove the malware from the infected PCs....
(((More:)))
http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx
