Spamhaus: Microsoft's botnet cull had little effect
Microsoft's takedown of the Waledac botnet has not been effective, according to some security researchers.
The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.
"The amount of spam coming from Waledac [before the takedown] was less than one percent [of all spam], and that hasn't changed much," said Spamhaus chief information officer Richard Cox. "There's been a slight change, nothing major, and we would expect it to be a lot different."
Microsoft said in a blog post on 24 February that it had "quickly and effectively cut off traffic" to the Waledac botnet by gaining a temporary restraining order against internet registry VeriSign. The order compelled VeriSign to cut off 273 domains believed to act as communications conduits between command-and-control servers and compromised computers.
The software maker said that Waledac had been a major source of junk mail and that it had sent 651 million scam and spam emails to Hotmail accounts in December 2009 alone. However, Cox said that compared with other spam botnets such as Zeus, Waledac accounted for a very small amount of global spam volumes.
"I've been chatting to colleagues, and we don't understand why Microsoft took these measures [against Waledac]," said Cox. "There are other botnets, for example Zeus, that do immense harm fraud-wise."
Computer security company Sophos agreed that it had seen no appreciable difference in the amount of spam coming from Waledac after Microsoft's action.
"We can't see a direct correlation between [Microsoft's] takedown efforts and a reduction in spam from Waledac," said Fraser Howard, a principal researcher at Sophos Labs.
In addition, there has been no noticeable reduction in spam volumes overall, according to Howard.
"If the botnet contributed significantly to spam, we would have expected to see a sharp step down in spam volumes," said Howard. "There is no distinct difference between before and after the takedown."
Howard said that Waledac was used mainly to distribute spam and malware, and that Microsoft was attempting to kill the Waledac malware family and capability. However, the command and control of the botnet can also be performed via peer-to-peer, he said, and does not only rely on the domains that have been taken down.
"As Waledac has peer-to-peer it's a lot more resilient to takedown efforts," said Howard. "How much impact the Waledac takedown will have on global malware volume will almost certainly be negligible."
However, not all security researchers expressed the view that Microsoft's Waledac takedown efforts had been ineffective. Security company F-Secure said on Wednesday it had seen a drop in spam coming from Waledac zombies, and a decrease in the number of binary samples from Waledac-related messages.
"Microsoft might have decapitated [Waledac], it should be interesting to watch," said F-Secure researcher Sean Sullivan.
Sullivan said the ability of the botnet to spread malware may have been severely inhibited by Microsoft's action. From 8 February to 21 February, F-Secure detected 58,913 instances of Waledac malware attempting to circumvent F-Secure security software. After the takedown, from the 22 February until 3 March, F-Secure detected 1,113 instances.
Despite this respite in Waledac attacks, Sullivan said F-Secure would not be surprised to see the botnet come back. The zombie computers that make up the botnet are still compromised, said Sullivan, and the anonymous criminals that control the compromised machines still know where those zombies are located.
Microsoft did not respond to a request for comment.