SOCIAL, ECONOMIC, POLITICAL, AND IT ALIGNMENT
Deactivating botnets to create a safer, more trusted Internet
Botnets are networks of compromised computers that are controlled remotely and surreptitiously by one or more cyber criminals. Botnets are attractive to these individuals for two reasons: botnets are easy to hide behind and botnets make a lot of money for the botnet controller, or bot-herder.
By harnessing the processing power, storage, and bandwidth of personal and business computers, bot-herders can generate vast amounts of spam, launch attacks against large websites, commit online advertising fraud, and more. Tracing the origin of an attack only leads back to the hijacked computer of an innocent user, where the trail ends.
The impact of botnets is huge. According to Microsoft's Security Intelligence Report volume 9:
- Microsoft cleaned more than 6.5 million computers of botnet infections in 2Q 2010—double the number for the same period a year before.
- The U.S. had the most botnet infections (2.2 million botnet infections in the second half of 2010), far ahead of Brazil, which had the second greatest number of infections (550,000). Spain had the most infections in Europe (382,000 botnet infections) followed by France, the U.K., and Germany.
- Korea was found to have the highest rate of botnet infection (14.6 bot computers cleaned per thousand); followed by Spain (12.4 bot computers cleaned per thousand); and Mexico (11.4 bot computers cleaned per thousand).
Microsoft has been leading an effort against the botnet threat for the past six years through public and private partnerships with industry, academia, government, and law enforcement around the world. Since 2009, Microsoft has hosted the annual Digital Crimes Consortium, which brings together worldwide law enforcement agencies, government, and academic and industry experts to discuss the latest trends and research in the fight against botnets and other cybercrime.
On September 7, 2010, Microsoft announced that its legal action to permanently shut down a major botnet known as Waledac was successful, and since the company first took action against Waledac in February 2010, communications within the botnet have remained dead and Microsoft has not seen any new Waledac infections.
Prior to the takedown, Microsoft estimated that Waledac infected hundreds of thousands of computers around the world and had the capacity to send more than 1.5 billion spam email messages per day. Microsoft also found that between December 3 and December 21, 2009, Waledac was responsible for approximately 651 million spam email messages directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks, and more.
This successful legal and industry operation against Waledac is the first of its kind, and the collaborative approach has paved the way for future takedowns in cases where criminals are abusing anonymity to victimize computer users around the world. In taking down Waledac, Microsoft also gained more visibility into the workings and footprint of the Waledac botnet, enabling the company to begin working with CERTS and ISPs to help infected customers remove the Waledac malware from their machines. Microsoft created the Virus and Security Solution Center to help people understand the threat of botnets and clean the malware from their computers.
The Waledac takedown is the first undertaking in a larger Microsoft-led initiative called Project Microsoft Active Response for Security (MARS), which is a joint effort between the Microsoft Digital Crimes Unit, the Microsoft Malware Protection Center (MMPC), Microsoft Support, and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone. Microsoft believes the Waledac takedown will be the first of many successful endeavors for Project MARS and is already working to apply the lessons learned from this operation to future initiatives.