Microsoft has several other botnets in its crosshairs, and believes it can use the same legal tactic against them that it deployed last week to strike at the Waledac botnet's command-and-control centers.
But the company also admitted that it had not yet severed all communications between the controllers of Waledac and the thousands of compromised Windows computers used by hackers to pitch bogus security software and send a small amount of spam.
[ Related: "Microsoft recruited top-notch security guns for Waledac takedown." | InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
"This shows it can be done," said Richard Boscovich, senior attorney with Microsoft's Digital Crimes Unit. "Each botnet is different, of course, but this is another arrow in the quiver. This is not the last [effort].... We have other operations on the drawing board."
Last Wednesday, Microsoft announced that it had been granted a court order that yanked nearly 300 sites from the Internet. Those sites, Microsoft said, were a key link between hackers and the PCs that make up the Waledac botnet. The legal tactic, which garnered accolades from many security professionals as a precedent-setting move, resulted in what Microsoft called "a major botnet takedown" of Waledac, a fact that some researchers disputed.
The same method can and will be applied to other botnets, Boscovich said. He declined to say which zombie PC army is next on Microsoft's hit list. "Of course this is scalable," he said when asked whether the legal action against Waledac would work against other botnets, or was a one-off. "This is another tool we can now use, another mechanism that is available."
In fact, when Microsoft officials sat down in early January to decide which botnet to target, they started with a list of six, then narrowed it to three, from which they selected Waledac. The remaining five unnamed botnets remain on Microsoft's list.
"We wanted to challenge ourselves technically," said Boscovich when asked why Waledac was chosen. "From the technical standpoint, it had a certain reputation."
Waledac does have a reputation. The malware that infects victimized PCs was created by, and the botnet is maintained by, hackers who previously flooded the Internet with the Storm bot from early 2007 through mid-2008. Waledac's makers "definitely know the ins and outs," Joe Stewart, director of malware analysis at SecureWorks and a noted botnet researcher, said last Thursday.