Microsoft will look to courts for botnet takedowns

Microsoft says its legal efforts helped reduce the prevalence of computers infected with Waledac

Microsoft has seen a dramatic drop in the number of computers infected with Waledac, a piece of malicious software affiliated with a botnet that was once responsible for a massive amount of spam.

In the second quarter of this year, the company cleaned only 29,816 computers infected with Waledac, down from 83,580 computers in the first quarter of the year. Microsoft published the statistic in its latest biannual Security Intelligence Report released on Wednesday.

The drop in the number of infected machines shows the success of the legal action Microsoft took earlier in the year, said Adrienne Hall, general manager for Microsoft's Trustworthy Computing group.

Waledac was used to send spam and infect computers with fake antivirus software. It used a complicated peer-to-peer system to communicate with other infected machines.

Microsoft's legal moves against Waledac were unprecedented. The company was granted a rare ex parte temporary restraining order (TRO) to shut down malicious domain names that Waledac's controllers used to communicate with infected machines.

Going to court "gives you a blanket way to put on notice that you are going to look into the perpetrators," Hall said.

An ex parte TRO allows for an activity to be halted without notice to the bad actor and without granting that person a court hearing. In the case of Waledac, it meant that if the domain names were suddenly shut down, the botnet's operators wouldn't have much time to register new domains for their bots to call on to get new instructions.

Federal courts are reluctant to issue those kinds of orders because it may violate defendants' right to due process, according to Microsoft's report. But courts will grant an ex parte TRO if a judge is convinced the defendants may quickly reorganize and continue their bad activity. Microsoft was able to get two of those orders.

In other civil summons documents, Microsoft named 27 "John Does" who had registered the bad domains, which the company said provided the court "with an identifiable target for legal service while protecting the registrants' due process rights."

But most of the 276 domains used to control Waledac were registered through registrars in China. In another sign of Microsoft's diligence, the company researched how to craft an application for an ex parte TRO that also complied with Chinese law. It also researched how to serve those defendants in compliance with international treaties.

The international domain name registrants were served through the Hague Convention on Service Abroad, and all of the documents were sent to China's Ministry of Justice in addition to being published on a specific Web site.

The domains were shut down within 48 hours after the U.S. District Court for the Eastern District of Virginia granted the order. Last month, the court held a hearing on entering a default judgement against the unidentified defendants and transferring control of the domains to Microsoft. The company said in its report that a permanent injunction is pending.

"We think this has effectively dealt a blow to Waledac," Hall said.

While lawyers worked on the legal side, technical experts also attacked Waledac. Microsoft marshalled a team of computer security researchers who infiltrated Waledac's peer-to-peer control system. Once inside the botnet, they commanded infected machines to report to their own servers, cutting the cybercriminals off from their own botnet.

But while Waledac was stung, it still lives. The botnet comes in at No. 23 of the 25 most-detected botnet families, according to Microsoft's report, showing that even after extensive legal and technical efforts, botnets are difficult foes.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftsecurityDesktop securitylegalmalwarecybercrimersafraudCriminal

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?