Cisco Blogs

Microsoft’s Active Response Leads to Permanent Gains Against Waledac

September 16, 2010 - 0 Comments

A few weeks back, I wrote a review of recent security industry reports, including one from McAfee that promoted Offensive Security. In it, I mentioned a reluctance to adopt a sweeping usage of the term “offensive” in describing security postures, using it only where it is appropriate. Further, I mentioned that:

“[I]n addition to choosing terminology carefully, organizations may not necessarily need to head down the road of advanced techniques if they are still struggling to get a handle on the basics.”

Microsoft’s recent success with active response (a much better term, in my opinion) further emphasized my point. What they accomplished with the Waledac takeover required fairly significant resources, determination, and expertise — and it was definitely collaborative. It will be interesting to see where these efforts go in the future.

Microsoft’s First Steps, and Recent Success

Back in February, Microsoft sought a temporary restraining order to take control over 277 domains that comprised the Waledac botnet’s command-and-control infrastructure. Of those domains, the owner of only one of them responded to the court and showed that their systems had been compromised to host Waledac’s command-and-control. The other 276 received no formal defense in court, but did see other defensive measures taken.

Microsoft did notice, however, that the botnet’s controllers were aware of the case and were taking steps to attack the law firm that filed the suit, as well as researchers. Gathering evidence of these actions was a crucial part of later proving to the court that the temporary restraining order should be expanded into permanent removal of the domains from the hands of the botnet’s controllers. Because Microsoft could show that the controllers of these domains were not oblivious to the suit, they were able to make the argument that instead of defending themselves in court, they were taking other actions to retaliate. Following a September ruling by the court, the owners of the remaining domains will have 14 days to appear in court or else forfeit their control by default judgment.

Limitations and Future Work

As a first effort, especially noting the significant and direct drop off of Waledac activity, this has been quite a success. Future success will likely require continued support from various agencies and organizations that can provide information that a single organization may not easily have access to. Also, legal jurisdiction was not a problem in this case, as Waledac’s domains were in the .com space. But if a future effort must cross various jurisdictions, this could become much more complicated. If an effort cannot be tightly coordinated, it might provide room for a botnet to adjust and realign itself.

Organizations should not necessarily feel a need to stand up their own active response efforts, unless they have a strong foundation of security practices already in place. But if as a part of maturing their own security efforts beyond the basics, they can take steps to be more helpful and collaborative with organizations that are spearheading these kinds of efforts, and they may find themselves welcomed by those in the security industry that are moving down the road of active response. Criminals have shown themselves to be very flexible and capable in their use of technology. These efforts seem to be a necessary next step to regain lost ground, and collaboration is key to their success.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.