Feb 25, 2010 (09:02 AM EST)
Microsoft Decapitates Waledac Botnet
Read the Original Article at InformationWeek
The world's largest software company on Thursday said that it was granted permission by a Virginia court to go over the heads of the Internet service providers hosting Web domains affiliated with Waledac and pull the plug at the domain registry level, through VeriSign.
"Microsoft filed a complaint with the US District Court of Eastern Virginia, which issued the temporary restraining order this week directing VeriSign -- the registry operator for all .com domains -- to sever the domains in question," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, in a e-mailed statement. "VeriSign, in compliance with the TRO, severed those domains within hours of the order, effectively decapitating the botnet."
As a result of what Microsoft has dubbed "Operation b49," some 277 Internet domains that provided command and control capabilities to Waledac have been taken offline. Because Waledac has a peer-to-peer communication component, Microsoft has also been deploying additional technical countermeasures to cut off botnet communication.
In a three week period in December, Microsoft identified some 651 million spam messages directed at Hotmail alone by the Waledac botnet. The company estimates that the botnet, prior to the takedown, was sending 1.5 billion spam messages per day.
"Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent," said Microsoft associate general counsel Tim Cranton in a blog post.
However, Cranton notes that the takedown will not do anything to disinfect compromised computers.
Although Microsoft says that this is the first time registry-level action has been used to shut down a botnet, Bret Fausett, a Los Angeles-based attorney at Adorno & Yoss, observes registry-level enforcement is relatively common in cases such as trademark disputes, when the ISP hosting an infringing site is located outside the U.S. "Using the registry as a point of control for domain names is actually fairly common," he said.
Such tactics, however, may amplify international objections to U.S. control of the Internet domain name system. "I think one of the reasons that this practice flies a little bit under the radar is because of those Internet governance concerns," he said. "What it basically says about .com...is that those domains are ultimately subject to control by a U.S. court."
Karl Auerbach, CTO at InterWorking Labs, Inc. and a former board member of ICANN, said in an e-mail that he believed the effort to combat the Conficker worm involved registry-level intervention and said there are some aspects of this approach that prompt concern.
"While it makes sense to me to use the domain name registration as a way to redress abusive activities on the net, I do have concern about the standards that are used to justify such actions, the constraints on such actions including their duration, and measures to limit collateral damage," he said.
As an example, he said that he'd had some machines at a co-location facility that had its whole range of IP addresses blacklisted due to the activities of spammers using proximate IP addresses.
The fact that these takedowns happen without notice, Auerbach says, makes him wonder about the standards for such actions and the remedies if a mistake is made. "For example, is the initiating party and registry required to put up a bond just in case their actions ultimately prove unjustified or caused harm to innocent third parties?" he asks.
Update: Added comment from Karl Auerbach.