Microsoft Wins Botnet Battle in Court

Microsoft is using the law as a weapon to take down the Waledac botnet.

According to the company, a federal judge in Virginia issued a temporary restraining order Feb. 22 to cut off 277 Internet domains associated with Waledac in response to a complaint filed by Microsoft.

The legal maneuver was the culmination of months of investigation performed with cooperation from Symantec, Shadowserver Foundation, the University of Washington and others as part of an effort dubbed "Operation b49." As one of the biggest botnets on the Web, Waledac is believed to be capable of blasting out more than 1.5 billion spam messages a day. According to Microsoft, a recent analysis found the botnet sent roughly 651 million spam e-mails to Hotmail accounts alone between December 3-21, 2009.

“This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world,” blogged Tim Cranton, Microsoft’s associate general counsel. “Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.”

Microsoft has taken security-related issues to court before. The company filed five lawsuits against companies last year in a bid to address malicious online advertising. But just how effective this move will be is open to debate. In response to the massive amounts of malware and spam pushed out by botnets, security pros have begun recently to pursue more outside-the-box techniques for fighting back, such as taking down rogue ISPs instead of simply relying on antivirus. However, such tactics have only proven to have short-term impacts.

“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent,” Cranton wrote. “But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.”

But even if it is only a partial fix, it's still a helpful one, Gartner analyst John Pescatore said.

"It’s only as effective as yanking dandelions – gets rid of the immediate problem but the weeds spring right back up," he told eWEEK. "But, I do think more of this is needed. When legitimate domains are hosting malware, they should be shut down to drive them to invest in making their Websites less vulnerable. When domains are started up just to host malware, they should be shut down as quickly as possible."

"Bottom line: you have to pull dandelions all the time, but it's also good to kill the roots," he said.