Microsoft has brought a major botnet to its knees using a combined technical and legal strategy that it expects to deploy again.
Earlier this week, a federal judge granted Microsoft a temporary restraining order that cut off 277 Internet domains believed to be run by criminals as the Waledac bot, according to a blog post by Tim Cranton, the company’s associate general counsel.
That cut off traffic to Waledac at the “.com” or domain registry level — essentially severing the tie between the botnet’s command-and-control centers and most of its thousands of zombie computers around the world. Microsoft was then able to downgrade much of the peer-to-peer communication within the botnet, Cranton said.
The element of surprise was crucial to the operation, which is why Microsoft sought the restraining order without notification of the parties involved. It was able to convince the judge that this was necessary, given the botnet’s scope and suspected activities, according to comments made by Richard Boscovich, senior attorney at Microsoft’s digital crimes unit, in a video about the takedown posted on the company blog.
Spam’s Unstoppable March
Simply put, Waledac is huge, Cranton said — one of the 10 largest botnets in the U.S. and a major global distributor of spam. It is estimated to have infected hundreds of thousands of computers around the world that could send over 1.5 billion spam emails per day. In one period — December 3-21, 2009 — Waledac spammed Hotmail accounts with approximately 651 million emails peddling fraudulent offers of imitation goods, jobs, penny stocks and drugs.
“This legal and industry operation against Waledac is the first of its kind, but it won’t be the last,” Cranton concluded. “With this action, done in cooperation with experts from Shadowserver, the University of Washington, Symantec and others, we’re building on other important work across the global security community to combat botnets.”
Most spam is sent via botnet, noted Alexander Southwell, former prosecutor and partner with Gibson Dunn & Crutcher’s white collar defense and investigations practice.
“The coordinated response to the Waledac botnet — particularly at the domain level — is a notable counteroffensive in an increasingly sophisticated arms race with organized cybercriminals,” he told TechNewsWorld.
Can this strategy be replicated with other botnets? And will it permanently stamp out spam? In a nutshell, no — the latest success doesn’t mean spam is about to be eradicated.
Attempts like Microsoft’s to stop spam at its source are important — even necessary — but are not sufficient to eliminate it, Keith R. Crosley, director of market development at Proofpoint, told TechNewsWorld. “As we saw with the dramatic takedown of rogue ISP McColo in November of 2008, efforts like this can have a temporary effect on spam volumes. But it wasn’t long before bot herders were able to re-establish command and control of their systems.”
Long, Expensive Strategy
In this particular case, the legal strategy Microsoft used was long and expensive — and not a scalable way to handle other active botnets, Yuval Ben-Itzhak, senior vice president of engineering at AVG, told TechNewsWorld.
Also, most spammers operate outside of U.S. borders, which can make legal reach difficult, noted Mike Geide, senior security researcher at Zscaler.
“.Com is operated by Verisign, a U.S. based company, so they are compelled to act based upon U.S. court rulings,” Geide told TechNewsWorld. “In the case of other TLDs, particularly ccTLDs (RU, CN, and SE for example), it will be interesting to see what, if any, legal process would exist for an entity to file a lawsuit and have appropriate action taken.”
There is also the problem of scalability.
“It is a minimal effort for a criminal to bulk register domains — as was the case in Conficker, which was used to spread Waledac — but there is significant time and effort involved in shutting down the malicious domains,” Geide pointed out. “ICANN, registries, and registrars need to be proactive and cooperate with the security community to remove domains involved in criminal activity.
Bump in the Road
Spammers are bound to react with new strategies.
“Spammers [and] malware authors paying attention to this case will certainly diversify the command-and-control structure and domain registries used,” said Geide.
The spammers will just move to another domain and continue, suggested Ben-Itzhak. “Their operation makes them tons of money, so they will continue to do what they know to do very well. We may have a short slowdown in spam, but in days it will ramp back again.”
Shutting down spam bots happens all time, he observed. The difference this time is in the way Microsoft did it.