First published: 27th February 2010
Following the grant of a temporary restraining order by a US Judge on 22nd February, Microsoft has taken action, known internally by the codename "Operation b49", to disable the Waledac botnet. The action includes de-registering 277 domains, and unspecified "additional technical countermeasures" to downgrade the peer-to-peer communications between infected computers. The 277 domains are hard-coded into the malware, and are used to contact command-and-control servers.
Criminals design modern malware, like Waledac, with business continuity (or should that be crime continuity?) in mind. The infected computers normally receive commands via their peer-to-peer network, but will contact command-and-control servers (usually also infected computers) via the hard-coded domain names when they have difficulty with their peer-to-peer network. Cleaning individual computers, or even thousands of computers, has little effect on the overall effectiveness of the botnet, as the remaining hundreds of thousands of infected computers simply re-establish their peer-to-peer network automatically. De-registering the command-and-control domains on its own is also ineffective, as the peer-to-peer network remains, allowing the botnet to be updated with new command-and-control domain information. Thus, simultaneous attack, disabling the domains and disrupting peer-to-peer communications, is necessary to fragment the network beyond repair.
The Waledac botnet is thought to be one of the ten largest botnets, and is implicated in sending spam, DDoS attacks, click fraud and malware distribution. It might be responsible for about 1% of spam emails.
However, Microsoft's actions are not entirely uncontroversial, de-registering domains is an established technique to foil criminals, but disrupting the peer-to-peer communications could be seen as an attack on the computers of innocent victims of the botnet. Charlie Campbell has likened the legal power to a government granting letters of marque and reprisal to privateers. This comparison may not be justified, to speculate, an easy way for Microsoft to disrupt peer-to-peer communication throughout the botnet would be to utilise Windows Update, perhaps to block the ports used by the malware. In this scenario, Microsoft would already have permission from the legal owners of the computers, by the Windows Update EULA. The expected response by criminals would be to disable Windows Update when their malware is installed.
Allan Dyer, our Chief Consultant, commented, "Microsoft has taken a bold step to disrupt this botnet, but we can expect the criminals to adapt quickly. We need to track down the people behind these botnets, and put them away".