Microsoft plans further botnet shutdowns following success against Waledac

Microsoft is planning to replicate the success in shutting down the Waledac botnet in February with similar operations.

Microsoft is planning to replicate the success in shutting down the Waledac botnet in February with similar operations.

The operation pulled together researchers, security suppliers and legal experts to shut down Waledac's command and control domains and disable the botnet's peer-to-peer communications.

Botnets are usually difficult to take down because they typically involve multiple legal jurisdictions, said Richard Boscovich, senior attorney at Microsoft's Digital Crimes Unit (DCU).

"But Operation b49 against Waledac proved the effectiveness of taking high level legal action in combination with technical action," he said.

Microsoft's DCU is looking at additional operations based on the learnings from Operation b49 about what does and does not work well, said Boscovich.

"The operation proved the theory that an effective way of dealing with botnets is to take action at the highest level to shut down domains hosting the command and control infrastructure," he said.

In Operation b49, Microsoft won a court order for the US-based .com domain registrar to shut down 277 domains believed to be part of the Waledec botnet.

This approach enabled Microsoft and its partners to take legal action against the botnet that was outside the lengthy dispute resolution process defined by internet authority Icann and without first alerting the criminals controlling Waledac.

At the same time as severing communications with the command and control mechanisms, security researchers poisoned the peer-to-peer network to prevent PCs in the botnet updating each other and connecting to a new command and control centre.

"When command and control communication went down, the up to 90,000 infected PCs attempted to contact others in the botnet, but were directed instead to a central sink hole," said Boscovich.

The combination of the two actions effectively wrested control of the botnet away from the botnet herders, he said.

"We think we can replicate this novel approach and apply what we have learned to other botnets, although the techniques will differ according to how each one is set up," said Boscovich.

Operation b49 is still ongoing, and Microsoft's DCU plans to make announcements soon about notifying owners of Waledac-infected PCs and cleaning up those systems.

The DCU is made up of a worldwide team of lawyers, investigators, technical analysts and other specialists tasked with making the internet more secure.

Projects within the DCU are aimed at defending against fraud, threats to online safety and crimes against children.

See also:

Productivity that works: Videos, web seminar and case studies

In this special programme of content from Computer Weekly, in association with Microsoft, we examine the tools, technologies and best practices to create a productive, collaborative modern workforce.

Read more on Antivirus, firewall and IDS products