Weighing Microsoft's Role in Takedown of Waledac Botnet

 News of Microsoft Corp.'s recent legal action resulting in the “takedown” of the infamous Waledac botnet reveals a divided security industry and provides a confusing message for many observers, who are really missing the point.

Last week, responding to Microsoft’s lawsuit, a court in Virginia ordered VeriSign Inc. to deactivate 277 domain names and related Websites controlled by the Waledac botnet, which controlled 30,000 to 90,000 PCs and had a capability to send 1.5 billion spam messages per day.

All the domains that were used for command and control were hosted in .com/.net TLD's under the auspices of VeriSign, whose policy on these sorts of issues is to only remove domains under court order. Until now, that has primarily restricted this sort of action to the realm of law enforcement.

The Waledac takedown, known to Microsoft as “Operation b49,” involved a carefully planned legal effort that was the result of months of investigation and collaboration with leading experts across the industry from Shadowserver, the University of Washington, Symantec Corp., the University of Mannheim, Technical University in Vienna, International Secure Systems Lab, the University of Bonn, and others.

Microsoft is hailing the action as “the first of its kind,” and Redmond is saying “it won’t be the last.” As Richard Boscovich, senior attorney with the Internet Safety Enforcement Team at Microsoft, says, “We aim to be more proactive in going after botnets to help protect the Internet. We will do whatever it takes to look out for our customers and our brand.”

So, good news all around. Shouldn’t we all applaud Microsoft’s initiative?

Well, criticism has come from two main areas: Firstly, as Jose Nazario of Arbor Networks Inc. , a security solutions provider, told The Wall Street Journal, the Internet addresses that Microsoft’s lawsuit brought down could be a small percentage of those used by hackers to control the network. "The botnet will survive in many cases," said Nazario.

And Richard Cox, the chief information officer at anti-spam service Spamhaus told ComputerWorld: "If this did affect spam, we haven't noticed… Waledac was not a high threat; it's less than 1% of spam traffic.”

In addition to saying that there has been no noticeable decrease in spam levels and that Microsoft’s actions are not likely to have halted the spread of the botnet, critics are also fearful that this is the dawning of a new era of censorship, with Microsoft setting the standards and law enforcement following.

However, we have to note that such criticisms don’t offer any real solution other than law enforcement.

Microsoft has targeted Waledac before. In April 2009, the company issued a version of its Malicious Software Removal Tool (MSRT) that scrubbed the malware from Waledac-infected Windows PCs. In the second half of last year, MSRT and other Microsoft software, notably the free anti-virus program Microsoft Security Essentials, cleaned 96,000 systems of Waledac, claimed Jeff Williams, director of Microsoft's malware Protection Center, in a blog last week.

This is going to be an interesting ongoing debate within the security and wider computing industries. But, despite the criticisms or begrudging acknowledgement, this is a new and welcome proactive approach to curtailing nefarious spammers and the bad guys by Microsoft. It is the principle that is important here -- a major industry player taking action.

As said on an ISC blog last week: “So for what it is worth, kudos to Microsoft for leveraging its legal pit bulls for good!”

I for one entirely agree. And let us all hope Microsoft keeps its word and goes after many more botnets.