Microsoft says it decimated Waledac botnet

Microsoft has said that its legal action against Waledac domains has "decimated" the eponymous botnet.

Microsoft on Monday said that research indicated that commands to Waledac zombies had ceased, following the granting of a temporary restraining order that cut off over 270 domains suspected of channelling command and control instructions. The legal action and associated operations were codenamed Operation b49.

"Early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network," said Jeff Williams, director of the Microsoft Malware Protection Center, in a blog post on Monday. "That's good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet."

Williams added that Waledac appears to no longer be spreading the Waledac bot infection to other computers. Researchers from Sudosecure, who track new Waledac infections, noticed a sharp decline in new IP addresses appearing within the bot network, said Williams.

Williams' blog post admitted that Microsoft's action had not appreciably shrunk global spam volumes. Microsoft had earlier called the botnet a "major distributor of spam globally".

Spam research organisation Spamhaus said that a cessation of commands to bots could have occurred for a number of reasons. While Microsoft's legal action could have disrupted the botnet, a more likely reason for a cessation of commands is that the botnet controllers are currently lying low, Spamhaus chief information officer Richard Cox told ZDNet UK on Wednesday.

"[Microsoft's action] probably caused the bad guys to retrench and find a less vulnerable technology," said Cox. "When they became aware of [Microsoft's action], the most logical thing to do would have been to retreat quickly and redeploy in a more resilient manner."

Cox praised Microsoft's efforts to take down the Waledac botnet, but said that individual companies or groups could not effect major change compared with what international botnet legislation could achieve.

"What Microsoft did was good. Microsoft is doing all it can," said Cox. "But what it can do is very small compared to what could be achieved if the right legislative framework was put forward in Europe."

Cox added that this would create conditions for police forces to be trained and equipped to deal with botnets in individual European countries. While this would not solve the problem of law enforcement cooperation and jurisdiction outside Europe or the US, legislation would be more effective than individual action, said Cox.

Sophos security researcher Fraser Howard told ZDNet UK that it was difficult to say how effective Microsoft's action against Waledac had been, and added that Microsoft had not yet given an update on work to disrupt the Waledac botnet's peer-to-peer command functionality.