Microsoft takes down the Waledac botnet

Friday 26 February 2010 | By Heidi Scott, Gosh! Media Copywriter

Tags: Internet, Microsoft, Privacy, Security

US software giant Microsoft has won the latest battle in the global war on botnets - the networks of compromised PCs that are controlled remotely by criminals - by gaining a court order to close down the domains used for the 'command and control' (C&C) of the huge Waledac botnet.

The operation of networks of thousands of infected computers - usually without the PC users even being aware - by 'bot-herders' (hackers) has become an incredibly serious problem for the Internet. Under the control of criminal gangs, botnets are used to conduct a variety of cyber-attacks ranging from denial of service for websites, to spamming, click fraud and the spread of new kinds of malware (malicious software).

Microsoft is a founding member of the Botnet Task Force, a public-private partnership to combine industry and government efforts in the fight against botnets. The corporation recently launched 'Operation b49' against Waledac, working in co-operation with experts from Shadowserver, University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab and University of Bonn. On Monday of this week, Microsoft managed to get a US district court order, through a civil action, to cut off 277 Internet domains used for C&C of Waledac.

In a post on the Official Microsoft Blog yesterday, Tim Cranton (Associate General Counsel) writes:

"One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more."

This legal action has cut off traffic to Waledac, severing the connection between the botnet's C&C and most of its thousands of 'zombie' PCs around the globe. Microsoft says that it has since taken further action to downgrade the remaining peer-to-peer C&C communication within Waledac, and will continue to fight it.

Although Microsoft's countermeasures have been effective, the company admits that - even for just this one of thousands of botnets - the battle is not over. Cranton warns that the operation is "not a silver bullet" for undoing the havoc caused by Waledac. "Although the zombies are now largely out of the bot-herders' control, they are still infected with the original malware," he says, advising users to follow the 'protect your PC' guidance available at http://www.microsoft.com/protect. Unless the users of the infected PCs run anti-malware programmes, their machines could easily be reabsorbed into Waledac or a similar botnet.

Many technology pundits believe that more could and should be done to remove botnets. Some point the finger of blame at Internet service providers, arguing that they could block access to the Internet for infected PCs until their owners have removed the malware. The danger is that such broadbrush actions would inevitably affect some legitimate users.

Back to industry news