Microsoft announced that through legal action and technical cooperation with industry partners, they have executed a major botnet takedown of Waledac, a large and well-known "spambot."
Botnets -networks of compromised computers controlled by hackers known as "bot-herders" - have become a serious problem in cyberspace. Their proliferation has led some to worry that the botnet problem is unsolvable. Under the control of a hacker or group of hackers, botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of new forms of malicious software.
As a founding member of the Botnet Task Force - a government in the fight against bots- Microsoft is getting even more creative and aggressive in the fight against botnets and all forms of cybercrime.
Microsoft said it got clearance from a US judge to virtually sever the cyber criminals' command computers from hundreds of thousands of machines worldwide infected with a Waledac virus.
The takedown of the Waledac botnet that Microsoft executed this week - known internally as "Operation b49" - was the result of months of investigation and the application of a legal strategy, Microsoft said.
One of the 10 largest botnets in the US and a major distributor of spam globally, Waledac is estimated to have infected hundreds of thousands of computers around the world and, prior to this action, was believed to have the capacity to send over 1.5 billion spam emails per day. In a recent analysis, Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.
On February 22, in response to a complaint filed by Microsoft in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.
Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, Microsoft said. "But the operation hasn?t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders? control, they are still infected with the original malware," said Tim Cranton, Microsoft Associate General Counsel.
This action has effectively cut off traffic to Waledac at the ".com" or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft said that it had since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet. The company added that it would continue to work with the security community to mitigate and respond to this botnet.
Cranton advised users to follow the "protect your PC" guidance available ath ttp://www.microsoft.com/protect, in order to make sure they are not infected by this or other botnets.
"This legal and industry operation against Waledac is the first of its kind, but it won?t be the last," Cranton added. "With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn and others, we're building on other important work across the global security community to combat botnets," he said.