Microsoft takes legal action to cripple Waledac botnet

by Steve Ragan - Feb 25 2010, 20:45

Operationb49, the internal name for the legal action behind Microsoft’s takedown of the Waledac botnet, was successfully executed this week after months of investigation and legal strategy. While this move hits one of the ten largest botnets hard, it hasn’t killed it completely. So the question is what happens next?

On Monday, a federal judge in the U.S. District Court of Eastern Virginia granted a temporary restraining order, cutting off 277 Internet domains linked to Waledac. The restraining order is the result of a complaint filed by Microsoft, which singled out the domains registered by seemingly fictitious people in China.

The domains, mostly related to greeting cards, Christmas themes, and review or dating topics, are all under the .com TLD, and the court’s order helped Microsoft throttle them in partnership with VeriSign. At the same time, the efforts to kill Waledac completely are ongoing.

“Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet,” said Microsoft’s Tim Cranton in a statement.

After three days, the majority of the Waledac connections between the host and the C&C server are broken. At one point, Microsoft said, Waledac was responsible for over 651 million junk email messages hitting their Hotmail network on December 3-21 2009. Microsoft and other security firms placed the total reach for Waledac at about 1.5 billion emails a day.

“This legal and industry operation against Waledac is the first of its kind, but it won’t be the last,” Cranton said.

However, while communications on the .com level are out, there are other domains out there, and the host computers themselves are still infected with the Waledac Malware. That alone is turning a triumph into an arms race, with millions of systems up for grabs.

In the past, similar operations have led to the downfall of the botnet activity, but only for a short time. A good example of this would be the McColo closure. The question is, can Microsoft sever the rest of the communications with Waledac before the people running it regroup? Time will tell on that front.

 

Around the Web