If you can read this, it wasn’t you!


Have you heard of “Botnets”?

“You mean those legions of computers that are being controlled by criminals because they’re running malware that their owners don’t even know about; perhaps to use them to send spam e-mail?”

Exactly.  And if you’re reading this post right now, you can breathe a little easier knowing that you aren’t currently operating on behalf of a particularly nasty network of infected computers.**  This week Microsoft petitioned for and received the ability to block the access to several domains that are listed as known sites working on behalf of the criminals involved in the “Waledac” botnet. 

This blog post spells out what we did:

“The takedown of the Waledac botnet that Microsoft executed this week – known internally as “Operation b49” – was the result of months of investigation and the innovative application of a tried and true legal strategy. One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.”

For the full text of the complaint (including an interesting list of the 273 domain names that have been blocked), check out the actual document: “Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156

What do you think?  Personally, I think it’s great when we’re able to help track down and hopefully eventually punish these criminals.  Anyone with an e-mail mailbox who gets spam should appreciate that we’ve been able to detect and help stop some of it. 

**Note: Even though you aren’t going to be sending anymore e-mails on behalf of these particular criminals, you may still be infected.  “People running Windows machines also should visit http://www.microsoft.com/security/malwareremove/default.aspx, where they can find Microsoft’s Malicious Software Removal Tool, which removes Waledac. We also recommend that Windows users install and maintain up-to-date anti-virus and anti-spyware programs such as Microsoft Security Essentials and turn on auto updates and firewalls.   For our part, we will continue to work with both our industry partners and government leaders to explore possibilities for reaching out to the owners of compromised computers to advise them of the infection and remove malicious code from their machines.”

5 thoughts on “If you can read this, it wasn’t you!

  1. FULL OF I.T. indeed.
    Waledac is/was a tiny botnet.  At it’s highest capacity, it accounts for less than 1% of spam.  Also, Waledac uses a three-forked process to connect to it’s command servers: by domain name, by IP, and by peer-to-peer proxy.  Although taking down its command domains looks good, it accomplishes almost nothing.
    Nice P.R. though.


  2. Thanks, Andy, for the oh-so constructive comment.  🙂
    1% or .01%.. any little bit helps.  P.R.?  You bet.  I’m okay with that.  I’m happy to know that someone like Microsoft is doing what they can to take these criminals down.  


  3. since i know more about the origin of the botnet and hacker starting at aug 2008, i need to tell you  the new experiences that starte feb 9 – 13 as first phase.  
    i am worstly infected not only all machines, but also spaming using dual band radio packet injection into any phone i get.  eather i or the other person usually hears a blocked void, but when removed, you here the data packet.     1 good thing and 2 bad things about the botnet.    first the good thing is that the interceptions are being removed.   that shows me more of the botnet structure.  the bad news is that i been fixing more computers febuary 2010 then the last 2 years combined.   the signs shows original botnet infections that i got over 2 years ago.   this seems to be a very bad situation.  i figured its set on spread out servers throughout the world that keep eachother in sync.  if you remove, it appears to be reinstalling.
    the other bad news is that the spaming has spread now through the phone system.    since i got my 3rd hub, the logs are sorta shaky, but it seems i still may get over 2000 ips per hour from ping results.  
    details go on.  
    this is what i know that hasnt been said.   the internel lags when first started linked to multiple machines near by connection just by powering on.  
    the main part of the worm is a hardware based backdoor.
    and one thing that is sticking out is DAV   when i tried another program to low level format my drives, it access violationed as usualy, but repeated DAV.   i found an old not saying AXEL.DAV = data interfase.   im trying to figure out what that is and means..
    any help and communications would be appreaciated even though i dont expect any as usual.     responder@deepandcrazy.com
    the main hacker used support.microsoft.com, verision, anonymous phone numbers and ips.  but his ip was my dns ips.  linked to windstream.  
    im sure this is the origin and he set it up to seem like hes one of the victoms..   i can give details and proof.  now his site is anonyous,   http://www.windstream.net  the origin of the pixel error


  4. How about a story on how Microsoft is ultimately responsible for every botnet that exists today? You guys need to quit patting yourselves on the back for "attempting" to extinguish a threat that you created. In addition, why would Microsoft deserve kudos for something it should be doing anyway.
    Just the term "Super Patch Tuesday" says it all. Ridiculous.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s