What Microsoft Learned About Data Security From 'Botnet'
Taking down a botnet, especially one of the biggest, is a daunting task that needs to be done in 'layers' and severing the creature's connections to the outside world doesn't get rid of the beast.
Last month, Microsoft helped take down one of the largest "botnets" -- networks of PCs that have been invisibly hijacked and used to spew millions of spam messages, including other malware -- in the U.S.
Microsoft (NASDAQ: MSFT) and law enforcement reported their success in late February, after they had seized some 277 Internet domains that were being used by the botnet known as Waledac.
Now, Microsoft associate general counsel Tim Cranton has posted an entry on the company's On the Issues blog pointing to a discussion of lessons learned in the takedown.
"Today, we've released some of the early findings that we and other researchers have made on the impact of Operation b49 [as it is known] ... Highlights include greatly reduced communications within the bot network, a drop-off in new infections and some interesting news about post-takedown spam levels," Cranton said.
That post pointed to a second, much more detailed, post on Microsoft's Malware Protection Center (MMPC) blog.
First, according to the MMPC blog post, Microsoft's Digital Crimes Unit had to attack the botnet in layers.
"That included peer-to-peer communication disruption through technical countermeasures, domain-level takedowns to disrupt the 'phone home' communications between zombie PCs and the command and control servers for Waledac, and traditional server takedowns to sever the back-end command and control mechanisms most directly under the control of the bot master(s)," the MMPC post said.
How well did that work?
"Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection," the post continued.
Research also showed that Waledac has been greatly crippled in its abilities to infect other PCs.
However, just severing the ties between the bots and the so-called bot "herders" is not good enough. Even after they'd been freed, the PCs that had been turned into bots or zombies, as they're also called, were still infected and, often, they were also infected with other non-related malware, the research showed.
"What we've learned since the takedown from our initial data is that many of them are likely infected by other malware that may still be directing them to conduct attacks outside of Waledac's control structure."
Microsoft also urged users -- even if they believe their systems are not infected -- to use the company's free Malicious Software Removal Tool to scan their systems. For further information, the post also suggested that users check out its Online Safety site.
"While no one action will wipe out every threat, any strong action to disable a botnet is significant progress and each action will inform the next," the post said.