Microsoft Decapitates Waledac Botnet - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure // PC & Servers
02:23 PM
Connect Directly

Microsoft Decapitates Waledac Botnet

A major source of spam and malware has been cut off from its controllers.

Waledac Infections
(click image for larger view)
Waledac Infections
The Waledac botnet, one of the ten largest networks of compromised computers and a major source of spam and malware, has been dealt a potentially crippling blow by Microsoft.

The world's largest software company on Thursday said that it was granted permission by a Virginia court to go over the heads of the Internet service providers hosting Web domains affiliated with Waledac and pull the plug at the domain registry level, through VeriSign.

"Microsoft filed a complaint with the US District Court of Eastern Virginia, which issued the temporary restraining order this week directing VeriSign -- the registry operator for all .com domains -- to sever the domains in question," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, in a e-mailed statement. "VeriSign, in compliance with the TRO, severed those domains within hours of the order, effectively decapitating the botnet."

As a result of what Microsoft has dubbed "Operation b49," some 277 Internet domains that provided command and control capabilities to Waledac have been taken offline. Because Waledac has a peer-to-peer communication component, Microsoft has also been deploying additional technical countermeasures to cut off botnet communication.

In a three week period in December, Microsoft identified some 651 million spam messages directed at Hotmail alone by the Waledac botnet. The company estimates that the botnet, prior to the takedown, was sending 1.5 billion spam messages per day.

"Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent," said Microsoft associate general counsel Tim Cranton in a blog post.

However, Cranton notes that the takedown will not do anything to disinfect compromised computers.

Although Microsoft says that this is the first time registry-level action has been used to shut down a botnet, Bret Fausett, a Los Angeles-based attorney at Adorno & Yoss, observes registry-level enforcement is relatively common in cases such as trademark disputes, when the ISP hosting an infringing site is located outside the U.S. "Using the registry as a point of control for domain names is actually fairly common," he said.

Such tactics, however, may amplify international objections to U.S. control of the Internet domain name system. "I think one of the reasons that this practice flies a little bit under the radar is because of those Internet governance concerns," he said. "What it basically says about that those domains are ultimately subject to control by a U.S. court."

Karl Auerbach, CTO at InterWorking Labs, Inc. and a former board member of ICANN, said in an e-mail that he believed the effort to combat the Conficker worm involved registry-level intervention and said there are some aspects of this approach that prompt concern.

"While it makes sense to me to use the domain name registration as a way to redress abusive activities on the net, I do have concern about the standards that are used to justify such actions, the constraints on such actions including their duration, and measures to limit collateral damage," he said.

As an example, he said that he'd had some machines at a co-location facility that had its whole range of IP addresses blacklisted due to the activities of spammers using proximate IP addresses.

The fact that these takedowns happen without notice, Auerbach says, makes him wonder about the standards for such actions and the remedies if a mistake is made. "For example, is the initiating party and registry required to put up a bond just in case their actions ultimately prove unjustified or caused harm to innocent third parties?" he asks.

Update: Added comment from Karl Auerbach.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll