Microsoft unplugs spammer botnet with legal strategy

Software giant uses existing laws to take down spammers

Kudos to Microsoft for taking a common-sense approach in attacking the notorious Waledac botnet. Using existing federal law, the company last week went to court and obtained an injunction against 273 malicious domains, effectively unplugging them for the Internet. At least for now.

“Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent,” Microsoft wrote in announcing the action. “But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused.”


Related coverage:

Microsoft task force busts botnet


Keeping the bot-herders offline permanently will require more than shutting down the domains that were being used in the distribution of billions of spam messages; it will require identifying the individuals (referred to in the complaint as John Does 1-27) and putting them out of business. Microsoft said it is working toward that, but at the very least the suit already has bought all of us a respite from the incessant bogus greeting cards and offers for cheap drugs and "Rollex" [sic] watches.

Operation b49 was an effort by Microsoft and other members of the Botnet Task Force to document the scope and source of spam being distributed by hundreds of thousands of Waledac-infected computers. The company estimated the capacity of the botnet at more than 1.5 billion messages a day, and documented about 651 spam messages sent to Hotmail e-mail accounts alone during three weeks in December.

Microsoft filed the suit Feb. 22 in U.S. District Court for the Eastern District of Virginia in Alexandria, which had jurisdiction in the case because VeriSign, the .com domain registry, is located in that district and Microsoft was able to document computers in that district that had been compromised by Waledac. The suit alleged violations of the Computer Fraud and Abuse Act, the CAN-SPAM Act, the Electronic Communications Privacy Act and other federal fraud and trademark protection laws. It alleged that the unnamed defendants controlled 273 domains used for command and control of the botnet and for luring unsuspecting victims to malicious sites.

According to the suit, the domains, many of which were for phony electronic greeting card services and holiday-related sites, were registered through domain name registrars in China and Arizona. The botnet uses fast flux DNS servers that rapidly change the domains that infected computers communicate with for instructions and the nodes that distributed the spam were typically infected computers behind firewalls that were difficult to remotely monitor and remediate.

Microsoft claimed standing to file the suit because of the illegitimate traffic sent to accounts of its Hotmail e-mail service, and also because infection by Waledac malware “constitutes an unauthorized intrusion into Microsoft Windows operating systems.” The company alleged financial losses and irreparable harm to its reputation from the botnet and asked for damages as well as preliminary and permanent injunctions against the defendants.

On Feb. 24, a preliminary injunction effectively cut the domains off from .com.

Although Microsoft is the plaintiff, it was aided in Operation b49 by experts from Shadowserver, the University of Washington, Symantec, University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn and others.

It’s a good start, but the job is not over. Taking down Waledac for good means identifying and taking down the people behind it and then going after other botnets and other bot-herders. But this operations shows it can be done with existing tools.

“This legal and industry operation against Waledac is the first of its kind, but it won’t be the last,” Microsoft said in a written statement. “Stay tuned.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above