Remember Microsoft's action against 277 Waledac domains last week? Well, that's one way of going after a botnet…

Another way of shutting down a botnet? Arrest the botmasters!

Three Spanish citizens have been arrested for running the "Mariposa" botnet. The three reportedly have no criminal records and have limited hacking skills. Mariposa is a Butterfly Kit based botnet, and the kit is no longer for sale.

A recently reworded post on Microsoft’s attempt to pursue malware distribution in the courts makes it appear that something permanent and substantial has happened in anti-malware efforts (demonstrated by a legal and collaborative effort called “Operation b49″ to takedown Waledac C&C domains). Because of the complications (legal and otherwise) delaying server and domain takedowns, it’s great to see this botnet’s well-known command and control server domains 

Microsoft took a stab at Waledac bots last April when they added detection to their Malicious Software Removal Tool (MSRT).

The MSRT is part of their monthly Microsoft Updates package.

Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.

This year’s annual Virus Bulletin 2009 is being held in Geneva, Switzerland. The presentations are very interesting with topics covering Waledac, Koobface, botnets, and other malware families ThreatFire is most effectively protecting users against every day.

One of the most enjoyable and informative annual anti-malware conferences is being held in Geneva, Switzerland this year. The upcoming Virus Bulletin 2009 will bring presentations over three days on two tracks, business and technical, taking place 23-25 September 2009. Online registration is available on the site.

We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm -- the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality.

Over the past three days, ThreatFire users were being targeted by a higher number of Bredolab downloaders. Bredolab is a nasty, morphing little downloader being spammed out in droves mostly to users in the U.S. and Europe. While it seemed to have been a short term experiment at first, the blasts are continuing throughout the year.

koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for "My home video :)" or "cool video! WOW!" redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, "Flash player upgrade required". An example here:

John Bambenek over at the Handler's diary posted on this morning's shameless SEO attempts to redirect news seekers to exploit pages. The end result on a successfully compromised system is a download of FakeAv (or "scareware"). Currently, its name is presented as "Personal Antivirus":