Microsoft will look to courts for botnet takedowns

Microsoft says its legal efforts helped reduce the prevalence of computers infected with Waledac

Microsoft has seen a dramatic drop in the number of computers infected with Waledac, a piece of malicious software affiliated with a botnet that was once responsible for a massive amount of spam.

In the second quarter of this year, the company cleaned only 29,816 computers infected with Waledac, down from 83,580 computers in the first quarter of the year. Microsoft published the statistic in its latest biannual Security Intelligence Report released on Wednesday.

The drop in the number of infected machines shows the success of the legal action Microsoft took earlier in the year, said Adrienne Hall, general manager for Microsoft's Trustworthy Computing group.

Waledac was used to send spam and infect computers with fake antivirus software. It used a complicated peer-to-peer system to communicate with other infected machines.

Microsoft's legal moves against Waledac were unprecedented. The company was granted a rare ex parte temporary restraining order (TRO) to shut down malicious domain names that Waledac's controllers used to communicate with infected machines.

Going to court "gives you a blanket way to put on notice that you are going to look into the perpetrators," Hall said.

An ex parte TRO allows for an activity to be halted without notice to the bad actor and without granting that person a court hearing. In the case of Waledac, it meant that if the domain names were suddenly shut down, the botnet's operators wouldn't have much time to register new domains for their bots to call on to get new instructions.

Federal courts are reluctant to issue those kinds of orders because it may violate defendants' right to due process, according to Microsoft's report. But courts will grant an ex parte TRO if a judge is convinced the defendants may quickly reorganize and continue their bad activity. Microsoft was able to get two of those orders.

In other civil summons documents, Microsoft named 27 "John Does" who had registered the bad domains, which the company said provided the court "with an identifiable target for legal service while protecting the registrants' due process rights."

But most of the 276 domains used to control Waledac were registered through registrars in China. In another sign of Microsoft's diligence, the company researched how to craft an application for an ex parte TRO that also complied with Chinese law. It also researched how to serve those defendants in compliance with international treaties.

The international domain name registrants were served through the Hague Convention on Service Abroad, and all of the documents were sent to China's Ministry of Justice in addition to being published on a specific Web site.

The domains were shut down within 48 hours after the U.S. District Court for the Eastern District of Virginia granted the order. Last month, the court held a hearing on entering a default judgement against the unidentified defendants and transferring control of the domains to Microsoft. The company said in its report that a permanent injunction is pending.

"We think this has effectively dealt a blow to Waledac," Hall said.

While lawyers worked on the legal side, technical experts also attacked Waledac. Microsoft marshalled a team of computer security researchers who infiltrated Waledac's peer-to-peer control system. Once inside the botnet, they commanded infected machines to report to their own servers, cutting the cybercriminals off from their own botnet.

But while Waledac was stung, it still lives. The botnet comes in at No. 23 of the 25 most-detected botnet families, according to Microsoft's report, showing that even after extensive legal and technical efforts, botnets are difficult foes.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudMicrosoftcybercrimemalwarelegalrsaCriminalDesktop security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?