With legal nod, Microsoft ambushes Waledac botnet

With a restraining order in hand, Microsoft is working to take down the spambot, which has infected hundreds of thousands of PCs worldwide.

Lance Whitney Contributing Writer

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.

See full bio

Lance Whitney

Feb. 25, 2010 6:39 a.m. PT

2 min read

Microsoft is intent on eliminating the Waledac botnet and is using the legal system to help.

Tim Cranton, Microsoft's associate general counsel, wrote Thursday on the company's blog that Microsoft has been shutting down Waledac by working with technology partners and taking legal action.

In response to a complaint filed by Microsoft, a federal judge issued on Monday a temporary restraining order to shut down 227 Internet domains believed to be run by cybercriminals spreading the Waledac spambot.

A map of Waledac infections around the world in a recent 24 hour period. — A map of Waledac infections around the world in a recent 24-hour period. Microsoft

This week's legal takedown of Waledac, known internally at Microsoft as "Operation b49," came after months of investigation, wrote Cranton. Once the company had gathered its evidence, the challenge was how to find a legal means to allow Microsoft to block the suspected domains from their botnets and stop them from further infecting and controlling their victims.

To achieve this, Microsoft looked at a legal principle called "ex parte TRO." Ex parte means without notifying the other side, and TRO stands for temporary restraining order. The ex parte aspect was crucial because severing the link between the criminals and their bots had to be done without their knowledge. Further, Microsoft needed to convince the court that such legal action was warranted. Richard Boscovich, senior attorney at Microsoft's digital crimes unit, played a role in forming the complaint.

"We drafted the complaint in such a way that explained to the court that the amount of damages to consumers across the world, and also other companies in addition to Microsoft itself, warranted the granting of this rather extraordinary order," said Boscovich toward the end of a Microsoft-created video that describes the fight against Waledac.

The legal action has already cut off access to Waledac at the domain level, according to Cranton. This means the connection has been severed between the command and control centers of the botnet and most of the infected computers worldwide. Cranton said that Microsoft is working with security organizations to take down Waledac's remaining peer-to-peer command and control connections.

Though the link between the botnet and its targets may have been cut, Cranton notes that there are still many infected computers out there and urges their owners to secure and protect their PCs.

Microsoft's crackdown of Waledac is only one battle in the larger war against malware. But it is crucial, according to the company, because this single botnet had infected hundreds of thousands of PCs worldwide and was thought to be capable of sending more than 1.5 billion spam messages each day. Microsoft noted that between December 3 and 21, 2009, around 651 million spam e-mails generated by Waledac were directed to Hotmail accounts alone.