In a unique new legal maneuver, Microsoft this week permanently shut down 276 web domains that were being used by a cybergang to spread spam and malware to hundreds of thousands of PCs. Microsoft had previously been granted a temporary restraining order giving it permission to take the domains offline. But when the owner of the domains couldn't be reached and thus defend himself in court, Microsoft filed a motion asking for permanent ownership of the domains. That motion was granted Wednesday because it was in the public interest to shut down the botnet.
"It's open season on botnets," Microsoft Senior Attorney Richard Boscovich said. "The hunting licenses have been handed out, and we're coming back for more." Put another way, Microsoft has now established a legal precedent that allows it to take control of US-registered domains that are being used to conduct criminal activity online. And according to the company, there are dozens of major botnets still out there, as well as hundreds of smaller ones.
As for the botnet it now owns, Microsoft must now contend with the many PCs that are still infected. At the height of its activity in 2009, the botnet—called Waledac—was delivering more than 1.9 million spam messages every day. After the botnet was taken down in February, Microsoft monitored the traffic to the domains and discovered that tens of thousands of infected PCs were attempting to contact the servers each day, looking for instructions. And as recently as last month, almost 60,000 PCs were still trying to connect to the Waledac botnet via the 276 domains Microsoft now owns. These PCs made almost 15 million connection attempts in that time period.
Microsoft has worked with Internet providers to contact the owners of the PCs and provide them with help removing the malware. Microsoft's free Security Essentials product detects and removes the Waledac software.
As for the criminals behind the Waledac botnet, they're living under false names in China and are aware of the transfer of their domains to Microsoft. They have two weeks to contest the transfer, which is unlikely, since the domains were used for illegal activity. But they've responded in other ways. "Microsoft presented evidence to the court that, although the defendants did not come forward, they were aware of the case and actively tried to retaliate, attempting to launch a distributed denial of service (DDoS) attack against the law firm that filed the suit and even going so far as to threaten one of the researchers involved in the case," a Microsoft blog post reads.