Microsoft has taken down 277 internet domains that it believed was being used to run the Waledac botnet.
In what it called ‘Operation b49' that was the ‘result of months of investigation and the innovative application of a tried and true legal strategy', according to Microsoft's associate general counsel Tim Cranton, a federal judge granted a temporary restraining order that quickly and effectively cut off traffic to Waledac at the ‘.com' or domain registry level.
Cranton said: “Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.
“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn't cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders' control, they are still infected with the original malware.”
He also commented that the legal and industry operation against Waledac was the first of its kind, but it will not be the last.
He said: “With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn and others, we are building on other important work across the global security community to combat botnets.”
Charlie Abrahams, VP and general manager of EMEA at MarkMonitor, commented that while a remarkable operation, this sort of effort was nothing original.
He said: “We do thousands of sites every year and there are different ways of doing it. For taking down a phishing site, we can take it down in a few hours without a court order just by ringing the ISP and providing evidence that they are hosting a phishing site and it is normally offline immediately.
“In this case they have gone to the registree – VeriSign – and had them take it offline, which is more proficient but does require more paperwork.”
Paul Judge, chief research officer and vice president of Barracuda Networks, said: “Barracuda applauds Microsoft's efforts in being more proactive against internet threats, in this case specifically Waledac. We believe strongly that solving the problems of internet security requires a blend of technology solutions, the legal system, and user education.
“We have seen the effect of using the legal system to introduce a deterrent by suing and prosecuting spammers and other attackers. It is great to see this novel use of the legal system to help directly shut down an attack platform.
“While this effort alone will not totally eradicate botnets or even Waledac, it is a positive step for the good guys. The security community should continue to explore novel approaches to be more proactive against our increasingly motivated and skilled adversaries.”