Microsoft says it decimated Waledac botnet

Microsoft says it decimated Waledac botnet

Summary: The company has said that thousands of bots are no longer receiving commands and attributed it to earlier legal action

TOPICS: Security

Microsoft has said that its legal action against Waledac domains has "decimated" the eponymous botnet.

Microsoft on Monday said that research indicated that commands to Waledac zombies had ceased, following the granting of a temporary restraining order that cut off over 270 domains suspected of channelling command and control instructions. The legal action and associated operations were codenamed Operation b49.

"Early data from Microsoft and other researchers indicate that our actions have effectively decimated communications within the Waledac bot network," said Jeff Williams, director of the Microsoft Malware Protection Center, in a blog post on Monday. "That's good news because it indicates that Operation b49 effectively severed between 70,000 and 90,000 computers from this botnet."

Williams added that Waledac appears to no longer be spreading the Waledac bot infection to other computers. Researchers from Sudosecure, who track new Waledac infections, noticed a sharp decline in new IP addresses appearing within the bot network, said Williams.

Williams' blog post admitted that Microsoft's action had not appreciably shrunk global spam volumes. Microsoft had earlier called the botnet a "major distributor of spam globally".

Spam research organisation Spamhaus said that a cessation of commands to bots could have occurred for a number of reasons. While Microsoft's legal action could have disrupted the botnet, a more likely reason for a cessation of commands is that the botnet controllers are currently lying low, Spamhaus chief information officer Richard Cox told ZDNet UK on Wednesday.

"[Microsoft's action] probably caused the bad guys to retrench and find a less vulnerable technology," said Cox. "When they became aware of [Microsoft's action], the most logical thing to do would have been to retreat quickly and redeploy in a more resilient manner."

Cox praised Microsoft's efforts to take down the Waledac botnet, but said that individual companies or groups could not effect major change compared with what international botnet legislation could achieve.

"What Microsoft did was good. Microsoft is doing all it can," said Cox. "But what it can do is very small compared to what could be achieved if the right legislative framework was put forward in Europe."

Cox added that this would create conditions for police forces to be trained and equipped to deal with botnets in individual European countries. While this would not solve the problem of law enforcement cooperation and jurisdiction outside Europe or the US, legislation would be more effective than individual action, said Cox.

Sophos security researcher Fraser Howard told ZDNet UK that it was difficult to say how effective Microsoft's action against Waledac had been, and added that Microsoft had not yet given an update on work to disrupt the Waledac botnet's peer-to-peer command functionality.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • 70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating, thanks to Microsoft windows, insecure OS. They didn't worry about security years back and now it is too late to try and catch up. The damage is done.