Microsoft Decapitates Waledac Botnet - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
News
2/25/2010
02:23 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Decapitates Waledac Botnet

A major source of spam and malware has been cut off from its controllers.

Waledac Infections
(click image for larger view)
Waledac Infections
The Waledac botnet, one of the ten largest networks of compromised computers and a major source of spam and malware, has been dealt a potentially crippling blow by Microsoft.

The world's largest software company on Thursday said that it was granted permission by a Virginia court to go over the heads of the Internet service providers hosting Web domains affiliated with Waledac and pull the plug at the domain registry level, through VeriSign.

"Microsoft filed a complaint with the US District Court of Eastern Virginia, which issued the temporary restraining order this week directing VeriSign -- the registry operator for all .com domains -- to sever the domains in question," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, in a e-mailed statement. "VeriSign, in compliance with the TRO, severed those domains within hours of the order, effectively decapitating the botnet."

As a result of what Microsoft has dubbed "Operation b49," some 277 Internet domains that provided command and control capabilities to Waledac have been taken offline. Because Waledac has a peer-to-peer communication component, Microsoft has also been deploying additional technical countermeasures to cut off botnet communication.

In a three week period in December, Microsoft identified some 651 million spam messages directed at Hotmail alone by the Waledac botnet. The company estimates that the botnet, prior to the takedown, was sending 1.5 billion spam messages per day.

"Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent," said Microsoft associate general counsel Tim Cranton in a blog post.

However, Cranton notes that the takedown will not do anything to disinfect compromised computers.

Although Microsoft says that this is the first time registry-level action has been used to shut down a botnet, Bret Fausett, a Los Angeles-based attorney at Adorno & Yoss, observes registry-level enforcement is relatively common in cases such as trademark disputes, when the ISP hosting an infringing site is located outside the U.S. "Using the registry as a point of control for domain names is actually fairly common," he said.

Such tactics, however, may amplify international objections to U.S. control of the Internet domain name system. "I think one of the reasons that this practice flies a little bit under the radar is because of those Internet governance concerns," he said. "What it basically says about .com...is that those domains are ultimately subject to control by a U.S. court."

Karl Auerbach, CTO at InterWorking Labs, Inc. and a former board member of ICANN, said in an e-mail that he believed the effort to combat the Conficker worm involved registry-level intervention and said there are some aspects of this approach that prompt concern.

"While it makes sense to me to use the domain name registration as a way to redress abusive activities on the net, I do have concern about the standards that are used to justify such actions, the constraints on such actions including their duration, and measures to limit collateral damage," he said.

As an example, he said that he'd had some machines at a co-location facility that had its whole range of IP addresses blacklisted due to the activities of spammers using proximate IP addresses.

The fact that these takedowns happen without notice, Auerbach says, makes him wonder about the standards for such actions and the remedies if a mistake is made. "For example, is the initiating party and registry required to put up a bond just in case their actions ultimately prove unjustified or caused harm to innocent third parties?" he asks.

Update: Added comment from Karl Auerbach.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll