Microsoft botnet 'decapitation' scores legal win against cyber crime

Federal court looks ready to approve Microsoft's takedown of Waledac botnet, paving way for new tool against cyber criminals

Microsoft spearheaded an attack on the Waledac botnet, shutting down 276 domains used by criminals to control the network of compromised PCs. The takedown, for which Microsoft teamed with academic researchers and other technology firms, severed the command-and-control (C&C) channels used by the cyber criminals behind Waledac, isolating more than 70,000 infected systems.

The most interesting aspect of the counterstrike against Waledac is that Microsoft resorted to the courts to get legal authority to shut down the domains. At the time, the court granted Microsoft a temporary restraining order, allowing the company to gain control of the C&C domains. This week, a lower court recommended that Microsoft be given a default judgment, turning over the domains to the software giant's custody.

[ Get the spin on key tech news that you'll find nowhere else at InfoWorld's Tech Watch blog. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

The result is a legal strategy that others can follow, says Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit.

"If you meet all the requirements and articulate [your argument] in such a way to show [the botnet] is an immediate threat, this does ... provide a new framework in which other companies can do what we did," Boscovich said.

In recent years, researchers have attempted to take down botnets, but most of the time the criminals behind the C&C servers are able to reconstitute the network. In 2008, two Internet service providers stopped routing traffic for McColo, a rogue hosting company that offered server space for botnets and criminal activity. Spam levels dropped by more than 60 percent worldwide, but rebounded after about four months. More recent takedowns have had even less impact.

Microsoft believes it has completely disassembled the Waledac botnet. With this week's recommendation by a magistrate judge to turn over the domains to Microsoft, the legal strategy will have the benefit of becoming precedent.

"We were able to take the entire botnet offline at the beginning of the case and that is extraordinary," Boscovich said. "If you give people notice before decapitating the botnet, they will just move the bots. We were able to dismantle, decapitate the botnet at the beginning, and then continue with the legal process."

The software giant expects the district court judge who presides over the case to take the lower court's recommendation. Other botnets that base their C&C system on domain names are similarly vulnerable to the legal tactic, Boscovich said.

Microsoft does not plan to sit on its laurels. Under the auspices of its Project MARS, which stands for Microsoft Active Response for Security, the company will formulate legal strategies for taking down botnets with other C&C structures, Boscovich said.

"This is the first step and a proof of concept, and it worked," Boscovich said. "In the future, you will see us approaching other botnets with different command-and-control structures in similar ways."

This article, "Microsoft botnet 'decapitation' scores legal win against cyber crime," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.