Microsoft will look to courts for botnet takedowns

Microsoft says its legal efforts helped reduce the prevalence of computers infected with Waledac

Microsoft has seen a dramatic drop in the number of computers infected with Waledac, a piece of malicious software affiliated with a botnet that was once responsible for a massive amount of spam.

In the second quarter of this year, the company cleaned only 29,816 computers infected with Waledac, down from 83,580 computers in the first quarter of the year. Microsoft published the statistic in its latest biannual Security Intelligence Report released on Wednesday.

The drop in the number of infected machines shows the success of the legal action Microsoft took earlier in the year, said Adrienne Hall, general manager for Microsoft's Trustworthy Computing group.

Waledac was used to send spam and infect computers with fake antivirus software. It used a complicated peer-to-peer system to communicate with other infected machines.

Microsoft's legal moves against Waledac were unprecedented. The company was granted a rare ex parte temporary restraining order (TRO) to shut down malicious domain names that Waledac's controllers used to communicate with infected machines.

Going to court "gives you a blanket way to put on notice that you are going to look into the perpetrators," Hall said.

An ex parte TRO allows for an activity to be halted without notice to the bad actor and without granting that person a court hearing. In the case of Waledac, it meant that if the domain names were suddenly shut down, the botnet's operators wouldn't have much time to register new domains for their bots to call on to get new instructions.

Federal courts are reluctant to issue those kinds of orders because it may violate defendants' right to due process, according to Microsoft's report. But courts will grant an ex parte TRO if a judge is convinced the defendants may quickly reorganize and continue their bad activity. Microsoft was able to get two of those orders.

In other civil summons documents, Microsoft named 27 "John Does" who had registered the bad domains, which the company said provided the court "with an identifiable target for legal service while protecting the registrants' due process rights."

But most of the 276 domains used to control Waledac were registered through registrars in China. In another sign of Microsoft's diligence, the company researched how to craft an application for an ex parte TRO that also complied with Chinese law. It also researched how to serve those defendants in compliance with international treaties.

The international domain name registrants were served through the Hague Convention on Service Abroad, and all of the documents were sent to China's Ministry of Justice in addition to being published on a specific Web site.

The domains were shut down within 48 hours after the U.S. District Court for the Eastern District of Virginia granted the order. Last month, the court held a hearing on entering a default judgement against the unidentified defendants and transferring control of the domains to Microsoft. The company said in its report that a permanent injunction is pending.

"We think this has effectively dealt a blow to Waledac," Hall said.

While lawyers worked on the legal side, technical experts also attacked Waledac. Microsoft marshalled a team of computer security researchers who infiltrated Waledac's peer-to-peer control system. Once inside the botnet, they commanded infected machines to report to their own servers, cutting the cybercriminals off from their own botnet.

But while Waledac was stung, it still lives. The botnet comes in at No. 23 of the 25 most-detected botnet families, according to Microsoft's report, showing that even after extensive legal and technical efforts, botnets are difficult foes.

Send news tips and comments to jeremy_kirk@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityDesktop securitylegalmalwarecybercrimersafraudCriminal

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?