Infrastructure // PC & Servers
News
2/25/2010
02:23 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Decapitates Waledac Botnet

A major source of spam and malware has been cut off from its controllers.

Waledac Infections
(click image for larger view)
Waledac Infections
The Waledac botnet, one of the ten largest networks of compromised computers and a major source of spam and malware, has been dealt a potentially crippling blow by Microsoft.

The world's largest software company on Thursday said that it was granted permission by a Virginia court to go over the heads of the Internet service providers hosting Web domains affiliated with Waledac and pull the plug at the domain registry level, through VeriSign.

"Microsoft filed a complaint with the US District Court of Eastern Virginia, which issued the temporary restraining order this week directing VeriSign -- the registry operator for all .com domains -- to sever the domains in question," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, in a e-mailed statement. "VeriSign, in compliance with the TRO, severed those domains within hours of the order, effectively decapitating the botnet."

As a result of what Microsoft has dubbed "Operation b49," some 277 Internet domains that provided command and control capabilities to Waledac have been taken offline. Because Waledac has a peer-to-peer communication component, Microsoft has also been deploying additional technical countermeasures to cut off botnet communication.

In a three week period in December, Microsoft identified some 651 million spam messages directed at Hotmail alone by the Waledac botnet. The company estimates that the botnet, prior to the takedown, was sending 1.5 billion spam messages per day.

"Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent," said Microsoft associate general counsel Tim Cranton in a blog post.

However, Cranton notes that the takedown will not do anything to disinfect compromised computers.

Although Microsoft says that this is the first time registry-level action has been used to shut down a botnet, Bret Fausett, a Los Angeles-based attorney at Adorno & Yoss, observes registry-level enforcement is relatively common in cases such as trademark disputes, when the ISP hosting an infringing site is located outside the U.S. "Using the registry as a point of control for domain names is actually fairly common," he said.

Such tactics, however, may amplify international objections to U.S. control of the Internet domain name system. "I think one of the reasons that this practice flies a little bit under the radar is because of those Internet governance concerns," he said. "What it basically says about .com...is that those domains are ultimately subject to control by a U.S. court."

Karl Auerbach, CTO at InterWorking Labs, Inc. and a former board member of ICANN, said in an e-mail that he believed the effort to combat the Conficker worm involved registry-level intervention and said there are some aspects of this approach that prompt concern.

"While it makes sense to me to use the domain name registration as a way to redress abusive activities on the net, I do have concern about the standards that are used to justify such actions, the constraints on such actions including their duration, and measures to limit collateral damage," he said.

As an example, he said that he'd had some machines at a co-location facility that had its whole range of IP addresses blacklisted due to the activities of spammers using proximate IP addresses.

The fact that these takedowns happen without notice, Auerbach says, makes him wonder about the standards for such actions and the remedies if a mistake is made. "For example, is the initiating party and registry required to put up a bond just in case their actions ultimately prove unjustified or caused harm to innocent third parties?" he asks.

Update: Added comment from Karl Auerbach.

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.