Microsoft legal punch may change botnet battles forever

The software giant is on the verge of getting a court to grant it ownership over domains used in the Waledac spam botnet.

Senior Microsoft attorney Richard Boscovich says the company is expected to get a big win in its legal case against the operators of the Waledac botnet.
Senior Microsoft attorney Richard Boscovich says the company is expected to get a big win in its legal case against the operators of the Waledac botnet. Microsoft

With court backing and a novel use of a civil procedure, Microsoft appears to be close to obliterating the Waledac spam botnet, changing the way online criminal operations are defeated.

A magistrate judge in federal court in Virginia is expected to recommend within days that the judge hearing Microsoft's case grant a default judgment, Richard Boscovich, a senior Microsoft attorney told CNET on Wednesday.

This would mean that the 276 Web domains deployed as Waledac command-and-control servers to provide instructions to thousands of infected computers would be forfeited to Microsoft, effectively shutting down the botnet for good, he said.

What's unusual about the case is that Microsoft is relying on a procedure known as "ex parte," which allows a court to make decisions without the purported owners of the domains to be present. Ordinarily, a judge couldn't give away property, such as domain ownership, without providing the registered domain owner the right to challenge the request in court.

However, because the registrants of the Waledac domains were not motivated by notices provided online and in print publications to come forward and because Microsoft was able to convince the court that it was in the public interest to shut down the domains, the court is taking its side on the issue, Boscovich said.

The magistrate judge indicated in comments from the bench on Friday that he will recommend to U.S. District Court Judge Leonie Brinkema, who is overseeing the case, grant ownership of the domains to Microsoft, Boscovich said. "If the district court agrees with the magistrate judge, and we have a high degree of confidence that will be the case, then a final default judgment order will be entered," he said.

The botnet operators, who registered most of the domains in China under false names, are aware of what is going on, Boscovich said. The Web site Microsoft set up for the pleadings was heavily probed with unauthorized access attempts, and the company suspects the Waledac operators are behind that, he said. In addition, they are believed to be responsible for an online threat received by a researcher who works at an industry partner of Microsoft's, Boscovich added, declining to name the researcher or the company.

"They did get notice, but they elected not to come forward because the domains are used for illegal purposes--running a botnet," he said.

Microsoft relied on ex parte in requesting a temporary restraining order the court granted in February shortly after the company filed its lawsuit. That order temporarily shut down the Waledac domains without the registrants first being notified.

"This is the first application of its kind of an ex parte temporary restraining order in a bot situation," Boscovich said. "This is the first time we've been able to show to a court in the context of a botnet that ex parte should be utilized because of the ongoing damage it is causing and because of the fact that bot herders are able to change very quickly if given notice."

This legal strategy was a "proof of concept" that others can use against botnets and other online crime operators in the future, he said. "I think it's definitely a game changer," he said.

Microsoft--a deep-pocket company that has also used the courts in its battles against fake antivirus or "scareware" ads, malvertizing, spam, and phishing via IM, and e-mail spam--was able to convince the judge to order VeriSign to redirect traffic trying to reach the Waledac domains to Microsoft instead, Boscovich said. This enabled Microsoft to see the IP addresses of infected computers so it can work with Internet service providers and computer emergency response teams in different countries to alert the computer owners to the problem, he said.

This screenshot was taken from a video that shows the concentration of Waledac infections geographically and changes over a 24-hour period.
This screenshot was taken from a video that shows the concentration of Waledac infections geographically and changes over a 24-hour period. Microsoft

Computers typically get infected by clicking on a malicious link or opening an e-mail attachment that installs a Windows-based Trojan on their computers that serves as a back door to criminals who can then command the computer to send spam. (For help in cleaning up an infected computer, Microsoft has this Web site. Up-to-date anti-virus software will block Waledac.)

Working with researchers and other companies in the industry as part of the Microsoft-led B49 Operation, the company also was able to disrupt Waledac's peer-to-peer communications by which infected computers could send commands to each other directly when they couldn't reach the command-and-control servers.

Waledac at one point was capable of sending 1.5 billion spam messages a day and possibly more than 100,000 computers were believed to be infected, according to Microsoft. The number of unique infected IP addresses is declining to just over 58,000 as of August 30, Microsoft said in a blog post on Wednesday.

"Microsoft is definitely treading new ground here," said Dave Dittrich, senior security engineer at the Applied Physics Lab at the University of Washington.

Companies that don't have the financial resources Microsoft has won't be able to do this on their own, but they could mount similar legal challenges to botnets by working together, he said.

"I'm hoping that this provides a model that others will start to use," in helping courts understand how botnets work and persuading them that ex parte-type procedures may be extreme but necessary, Dittrich said. "In this case the court is being used to compel these actions that otherwise wouldn't be possible without the cooperation of these other entities," he said.

Featured Video