Microsoft's takedown of 277 websites that hosted the Waledac botnet has severed almost 100,000 computers from the network.
The shutdown of the websites last month in what it called ‘Operation b49' saw a federal judge grant a temporary restraining order that cut off traffic to Waledac at the ‘.com' or domain registry level.
Jeff Williams, director of the malware protection centre at Microsoft, said that this served as a new phase of exploration in combating botnets, which it calls Project MARS (short for Microsoft Active Response for Security). He said that the company is still analysing and investigating the impact of this action, but early data from Microsoft and other researchers indicate that the actions have ‘effectively decimated communications within the Waledac bot network'.
He claimed that: "Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet, meaning that those customers are less likely to see rogue security software pop-ups, malware downloads, outgoing spam and ID and password theft associated with the Waledac botnet infection."
Describing the operation, Williams said: “To effectively counter a botnet like Waledac, we knew a multi-layered approach was needed – one that included peer-to-peer communication disruption through technical countermeasures, domain-level takedowns to disrupt the ‘phone home' communications between zombie PCs and the command and control servers for Waledac, and traditional server takedowns to sever the back-end command and control mechanisms most directly under the control of the bot master(s).”
He also claimed that Operation b49 was never intended ‘to appreciably shrink worldwide spam volumes', with the goal to disrupt the bot and to learn from that disruption for future actions.
He said: “As we knew going in, the computers within the Waledac botnet are still infected with the original malware that gave herders control of them in the first place. What we've learned since the takedown from our initial data is that many of them are likely infected by other malware that may still be directing them to conduct attacks outside of Waledac's control structure.
“We base this hypothesis on the evidence that honeypot computers infected only with Waledac are not sending spam nor getting commands to execute any other attacks. However, Hotmail data and our examination of the behaviour of all the known IP addresses for the previously infected Waledac computers show that about half of the computers once under the control of Waledac are still trying to send spam – and are in fact doing so at higher levels today than they were in our December analysis.”
He concluded his statement by stating that the most critical outcome of this case is proof of concept, and as Project MARS moves on, it will be ‘looking to the lessons of Operation b49 as successful signposts along the road in this uncharted territory'.
“While no one action will wipe out every threat, any strong action to disable a botnet is significant progress and each action will inform the next,” said Williams.