Microsoft takes legal action to shut down Waledac botnet

Federal judge grants Microsoft the ability to shut down hundreds of domain names tied to the Waledac botnet.

Microsoft has taken legal action this week to shut down the command-and-control network of the Waledac botnet, a notorious spambot that produces an estimated 1.5 billion spam messages daily, pushed out by hundreds of thousands of infected PCs worldwide. 

"We decided the best tactic would be to really build a wall between the bot herder, the command computer and all of the other computers."
T.J. Campana, Senior Program Manager, Microsoft

A federal judge in the U.S. District Court of Eastern Virginia granted Microsoft's request to cut off 273 domain names believed to be controlling the Waledac botnet. The software giant issued its complaint against 27 unnamed "JohnDoe" defendants believed to be the bot herders. It requested domain name registry VeriSign Inc. to get the .com registered domains shut down.

"We drafted a complaint in such a way that explained to the court that the amount of damages to consumers across the world and also other companies in addition to Microsoft itself warranted the granting of this extraordinary order," said Richard Boscovich, a senior attorney in Microsoft's digital crime unit, in a video on the Waledac announcement in the Microsoft blog.

The lawsuit names U.S.-based domain registrar Wild West Domains Inc. as well as several China-based registrars, Xin Net Technology Corp., Xiamen Ename Network Technology Corp., China Springboard Inc. and Beijing Innovative Linkage Technology Ltd. 

Latest spam news and information:

MAAWG documents spam statistics stalemate: Spam volume remains steady at about 90%, according to spam statistics from industry group. 

With McColo shut down, has spam decreased? Expert Michael Cobb explains how the shutdown of the San Jose-based Web hosting service provider actually impacted spam levels.

Once the connection is severed the cybercriminals would no longer be able to sell their robot army to other cybercriminals, said T.J. Campana, senior program manager in the digital crimes unit at Microsoft. In the Microsoft video, Campana explained the extent of the Waledac botnet. In an 18-day period in December Hotmail blocked 651 million connections from Waledec connected machines, he said.

"It would have been impossible to sever each individual computer given the sheer magnitude and size, so we decided the best tactic would be to really build a wall between the bot herder, the command computer and all of the other computers," he said.

In addition, Microsoft said it has also been taking action to downgrade much of the peer-to-peer command-and-control communication within Waledac. Waledac is believed to be connected to the notorious Storm botnet. It spreads via email attachments with topical subject lines and messages to lure users to click image links with promises of an e-card. 

Waledac ties to Conficker/Downadup
Last year a variant of the fast spreading Conficker/Downadup worm was believed to be dropping a binary that connects to Waledac giving Conficker.E self-propagation abilities. Shortly after the discovery of the new variant, Microsoft added Waledac detection capabilities in its Malicious Software Removal Tool. Some security experts believe that those behind Conficker may have briefly teamed up with those associated with Waledac to monetize the botnet by spreading spam that offered software to read private SMS messages.

The legal action this week was the result of moths of investigation, Microsoft said. Most of the domain owners are believed to be based in China. One domain, debtbgonesite.com, is owned by Stephen Paluck of Beaverton Ore. Paluck didn't return a phone call for comment. He told the Wall Street Journal that he did nothing wrong and wants his domain back.

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close