Microsoft claims Waledec botnet scalp

Microsoft has won a court action that it says will enable it to take down the Waledac botnet, a large network of compromised computers believed capable of sending 1.5 billion spam emails per day.

The company said in a blog post on Wednesday that a court in Virginia had ordered a temporary restraining order to cut off over 270 domains believed to control the zombie computers' ability to communicate with command-and-control servers for the botnet.

"The takedown of the Waledac botnet that Microsoft executed this week — known internally as 'Operation b49' — was the result of months of investigation and the innovative application of a tried and true legal strategy," said Microsoft associate general counsel Tim Cranton in the blog.

The botnet is a key source of spam worldwide, and it sent 651 million scam and spam emails to Hotmail accounts in December 2009 alone, Microsoft said. Hundreds of thousands of computers worldwide have been infected and enlisted to the botnet, it added.

The action was brought in the US District Court of Eastern Virginia, and the injunction was granted on 22 February. According to court documents, the number of alleged malicious domains was 273, while the internet registry for all of the suspected domains was VeriSign, which has an office in Dulles, Virginia.

VeriSign said it was working with Microsoft and the court to resolve the botnet issue.

The legal action has cut off traffic at the domain registry level, severing the connection between the command-and-control servers and the infected computers, according to Microsoft.

Storm successor
The Waledec botnet, which security company Symantec has said is the successor to the Storm botnet, has not been taken out of action completely, Microsoft said.

In addition to centralised command-and-control domains, the botnet uses decentralised peer-to-peer command-and-control servers. The latter rely on a technique known as 'fast flux' to enable any of the infected computers to become a command-and-control server or to spread malware.

Microsoft said it was "taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command-and-control communication within the botnet".

Symantec, which gave evidence in the case, said it had provided information to the court about what a botnet is, and how Waledac functions.

"Botnets present a threat that can and should be addressed beyond just technological solutions," said Symantec in a statement. "If the opportunity presents itself to stop the spread of botnets at their source, Symantec will offer its co-operation when appropriate in order to further protect our customers and the public at large from such cyberattacks."

The Microsoft action was initiated as part of the Botnet Task Force, a collaborative project between the public and private sectors that Microsoft helped to set up.

Richard Cox, chief information officer of the Spamhaus project, said that while tackling botnets at the domain level can be effective, there is nothing to stop botnet organisers from using registries outside US or European jurisdictions.

"It's good to take down command-and-control sites hosted in the US," the spam expert said on Thursday. "But the people behind the botnet are likely to have standby sites in places where the courts' jurisdiction will not reach."

For example, the Russian government historically has taken no action against so-called 'bulletproof hosting' sites run by organisations such as the Russian Business Network, according to Cox.

Cox added that, while Microsoft taking action against third parties was a positive move, some members of the security community believe large companies are part of the cybercrime problem.

"Some of us regard companies like Microsoft as key parts of the problem due to their failure to deal with the parts of their own networks that are used for crime," said Cox. "Microsoft Live is used quite extensively for malware redirection, Microsoft email is used extensively for spam fraud."