Microsoft gets ownership of Waledac domains

  • Article

Back in February of this year, Microsoft got a court order which ordered various registrars to disable various websites that were associated with the Waledac botnet.  This court order was unusual (well, more like it set a precedent) in that Microsoft was not the legal owner of these domains.  Instead, the owners of the websites had to take them down.  It is thought that this disruption put a very serious dent in Waledac because the bots were using the domains as a command-and-control center.

From USA Today:

The U.S. District Court of Eastern Virginia last week granted a motion that, in effect, gives Microsoft permanent ownership of 276 Web domains once used by the Waledac cybergang to send instructions to hundreds of thousands of spam-spreading PCs.

Cybersleuths and attorneys at Microsoft's digital crimes unit actually decapitated the Waledac botnet in February by persuading District Court Judge Leonie Brinkema to issue a temporary restraining order to take the 276 domains offline.

With permanent ownership of the domains, Microsoft now has a proven legal means to take aim at U.S.-registered domains — including .com, .net, .biz and .org domains — shown to be conducting criminal activity. "It's open season on botnets," says Boscovich. "The hunting licenses have been handed out, and we're coming back for more."

So, what does transferring ownership of these domains to Microsoft actually mean in real life?  I’m not an expert here but I’ll hazard a guess or two.

  1. Gaining ownership means that these websites will be permanently shut down and that means that any Waledac nodes out in the wild that keep attempting to call home for command updates will never be able to get spamming instructions updates.  If the domains ever went and reverted back to their original owners, it could mean that a bot that was stranded out in the wild could eventually get back online and start spamming again.

  2. Gaining ownership of the domains is also a means of analysis.  If Microsoft were to re-activate the domains, they could start receiving instructions again from (tens of?) thousands of Waledac bots from around the world, trying to receive instructions.  These bots could be intercepted and their IP addresses noted and a table of statistics built around their profiles.  They could also see what sort of communication protocol Waledac is using and how many live infections there are still in the wild.

  3. With legal precedent, Microsoft now has the legal means to very quickly shut down activity of compromised botnet domains and have ownership transferred to them.  This means that if we ever do find a secondary tool for shutting down domains like this (other than cutting off the botnet), the path to ownership transfer will be quicker in the future than it is today.

Those are the three that I can think of.