Microsoft will look to courts for botnet takedowns

Microsoft Corp. has seen a dramatic drop in the number of computers infected with Waledac, a piece of malicious software affiliated with a botnet that was once responsible for a massive amount of spam.

In the second quarter of this year, the company cleaned only 29,816 computers infected with Waledac, down from 83,580 computers in the first quarter of the year. Microsoft published the statistic in its latest biannual Security Intelligence Report released on Wednesday.

The drop in the number of infected machines shows the success of the legal action Microsoft took earlier in the year, said Adrienne Hall, general manager for Microsoft’s Trustworthy Computing group.

Waledac was used to send spam and infect computers with fake antivirus software. It used a complicated peer-to-peer system to communicate with other infected machines.

Microsoft’s legal moves against Waledac were unprecedented. The company was granted a rare ex parte temporary restraining order (TRO) to shut down malicious domain names that Waledac’s controllers used to communicate with infected machines.

Going to court “gives you a blanket way to put on notice that you are going to look into the perpetrators,” Hall said.

An ex parte TRO allows for an activity to be halted without notice to the bad actor and without granting that person a court hearing. In the case of Waledac, it meant that if the domain names were suddenly shut down, the botnet’s operators wouldn’t have much time to register new domains for their bots to call on to get new instructions.

Federal courts are reluctant to issue those kinds of orders because it may violate defendants’ right to due process, according to Microsoft’s report. But courts will grant an ex parte TRO if a judge is convinced the defendants may quickly reorganize and continue their bad activity. Microsoft was able to get two of those orders.

In other civil summons documents, Microsoft named 27 “John Does” who had registered the bad domains, which the company said provided the court “with an identifiable target for legal service while protecting the registrants’ due process rights.” 

But most of the 276 domains used to control Waledac were registered through registrars in China. In another sign of Microsoft’s diligence, the company researched how to craft an application for an ex parte TRO that also complied with Chinese law. It also researched how to serve those defendants in compliance with international treaties.

The international domain name registrants were served through the Hague Convention on Service Abroad, and all of the documents were sent to China’s Ministry of Justice in addition to beingpublished on a specific Web site.

The domains were shut down within 48 hours after the U.S. District Court for the Eastern District of Virginia granted the order. Last month, the court held a hearing on entering a default judgement against the unidentified defendants and transferring control of the domains to Microsoft. The company said in its report that a permanent injunction is pending.

“We think this has effectively dealt a blow to Waledac,” Hall said.

While lawyers worked on the legal side, technical experts also attacked Waledac. Microsoft marshalled a team of computer security researchers who infiltrated Waledac’s peer-to-peer control system. Once inside the botnet, they commanded infected machines to report to their own servers, cutting the cybercriminals off from their own botnet.

But while Waledac was stung, it still lives. The botnet comes in at No. 23 of the 25 most-detected botnet families, according to Microsoft’s report, showing that even after extensive legal and technical efforts, botnets are difficult foes.