R.I.P. Waledac: Undoing the damage of a botnet

Ed note:
[On October 27, 2010, the US District Court of Eastern Virginia issued a final judgment in this case, agreeing with Magistrate Judge Anderson’s recommendation to grant Microsoft’s motion for default judgment, and officially ordered the transfer of the domains behind Waledac to Microsoft.]

Earlier this year, we wrote in this blog about Operation b49 – the groundbreaking legal and technical efforts led by Microsoft in cooperation with academic and industry experts around the world to shut down the notorious Waledac botnet, a network of tens of thousands of computers hijacked by bot-herders to spread malware, send spam and commit other forms of cybercrime. I’m pleased to announce that our legal action to permanently shut down the botnet has been successful and we have begun working with Internet Service Providers (ISPs) and CERTS to help customers remove the Waledac infection from their computers.

As you may have read in the September 8th edition of USA Today, Magistrate Judge Anderson of the US District Court of Eastern Virginia indicated he is recommending the court grant Microsoft’s motion for default judgment in the case filed in February and permanently transfer ownership of the 276 domains behind Waledac to Microsoft so they’ll never again be used for cybercrime.  On October 27th, 2010, the district judge agreed with the magistrate’s recommendation and officially ordered the transfer of the domains to Microsoft.  In this case, Microsoft presented evidence to the court that although the defendants did not come forward, they were aware of the case and actively tried to retaliate, attempting to launch a distributed denial of service (DDOS) attack against the law firm that filed the suit and even going so far as to threaten one of the researchers involved in the case.  Judge Anderson indicated he will be issuing a report and recommendation to the District Court to grant default judgment in Microsoft’s favor.  The defendants will have 14 days to object and, if they do not, the District Court ruling will be final.  The defendants are highly unlikely to respond, given the nature of the operation and the fact they have not presented a defense in court to date, which means this case has effectively been brought to a successful resolution.


As we wrote in March , communications within the botnet remain dead and we haven’t seen any new infections since we first took action.  This is a direct result both of the ex parte temporary restraining order granted by the court in February which allowed us to take the domains controlling Waledac offline before the bot-herders could move operations, as well as the remarkable mobilization by the global security community to disrupt the peer-to-peer communication within Waledac.  Through this process, the courts and the security community have paved the way for future takedowns in cases where criminals are abusing anonymity to victimize computer users around the world.

This legal victory is just one part of closing the book on Waledac. This operation has provided us with more visibility into the actual footprint of this notorious botnet so we can see the spread of the infection around the world.  The number of unique infected IP addresses is steadily declining and as of August 30th 2010, there were just more than 58,000 unique IP addresses infected with Waledac malware.  That’s down from nearly 64,000 addresses during the week of July 23rd, 2010. We’re using the information we’ve gathered on these infected IP addresses to begin working with CERTs and ISPs to contact affected customers in order to remove the Waledac malware from as many computers as possible.  To help with that process, Microsoft has created a website – http://support.microsoft.com/botnets – dedicated to help people clean their computers.  Although we are in the early stage of the cleanup process, we’re seeing great initial results.  Cox Communications, for example, has already helped virtually all the customers they’ve contacted clean their computers. 

The Waledac takedown is the first undertaking in a larger Microsoft-led initiative called Project MARS (Microsoft Active Response for Security), which is a joint effort between Microsoft’s Digital Crimes Unit, the Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone.  We believe the Waledac takedown will be the first of many successful endeavors for Project MARS and we’re already working to apply the lessons we learned from this operation to future initiatives.  

We’re also seeing other members of the security industry and law enforcement taking proactive action to both study and dismantle other botnets, such as the recent actions against Mariposa and Pushdo/Cutwail.  While the approaches to these actions have differed somewhat from the Waledac takedown, all of these efforts demonstrate that the industry is beginning to take a more aggressive stance against botnets.  You can be sure that there will be more to come. 

Additional resources

Comic strip explaining botnets

Microsoft Citizenship page

To follow the Microsoft Digital Crimes Unit for news and information on proactive work to combat botnets and other digital threats, visit www.facebook.com/MicrosoftDCU or twitter.com/MicrosoftDCU. And for more from the MMPC on today’s news, visit: http://blogs.technet.com/b/mmpc/.