A federal judge has brought Microsoft one step closer to seizing control of 276 domains controlled by the Waledac botnet.
A magistrate judge in the U.S. District Court of Eastern Virginia recommended recently that a default judgment be granted in Microsoft's favor. The defendants in the case were given 14 days to object; if they do not, the judgment will be final.
“In this case, Microsoft presented evidence to the court that although the defendants did not come forward, they were aware of the case and actively tried to retaliate, attempting to launch a distributed denial of service (DDOS) attack against the law firm that filed the suit and even going so far as to threaten one of the researchers involved in the case,” according to Microsoft.
The legal action was the result of a joint investigation known as ‘Operation b49’ that also involved Symantec, Shadowserver Foundation, the University of Washington and others. Once capable of sending out more than 1.5 billion spam messages a day, the number of unique infected IP addresses has continued to decline, going from 64,000 during the week of July 23 to 58,000 as of Aug. 30.
“As we wrote in March, communications within the botnet remain dead and we haven’t seen any new infections since we first took action,” Microsoft said. “This is a direct result both of the ex parte temporary restraining order granted by the court in February which allowed us to take the domains controlling Waledac offline before the bot-herders could move operations, as well as the remarkable mobilization by the global security community to disrupt the peer-to-peer communication within Waledac. Through this process, the courts and the security community have paved the way for future takedowns in cases where criminals are abusing anonymity to victimize computer users around the world.”
Members of the security community have worked individually and collectively to takedown botnets on multiple occasions in the past with mixed results. Just recently for example, researchers at LastLine reached out to hosting providers for the Pushdo botnet, but were greeted by some with inaction. The result was only about 20 of the botnet’s 30 servers were taken offline, and while spam from the botnet dropped initially, it began to tick up back up shortly thereafter.
“The Waledac takedown is the first undertaking in a larger Microsoft-led initiative called Project MARS (Microsoft Active Response for Security), which is a joint effort between Microsoft’s Digital Crimes Unit, the Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone…We’re also seeing other members of the security industry and law enforcement taking proactive action to both study and dismantle other botnets, such as the recent actions against Mariposa and Pushdo/Cutwail,” Microsoft said. “While the approaches to these actions have differed somewhat from the Waledac takedown, all of these efforts demonstrate that the industry is beginning to take a more aggressive stance against botnets.”
