Microsoft moved the battle against spam-distributing botnets from cyberspace to the court room, winning a temporary restraining order shutting down nearly 300 domains thought to make up the command and control structure for the vast Waledac botnet.
The restraining order was granted by a US federal judge in secret–a critical element of Microsoft’s plan, dubbed ‘Operation b49’. By shutting down the command and control domains for Waledac without alerting the bad guys first, Microsoft was able to essentially decapitate the botnet–severing the compromised bots from the brains of the operation.
There are some who question whether the legal system is an effective tool against botnets, or whether Operation b49 has any hope of long term success.
Randy Abrams, director of technical education for ESET, is not one of those people. “This is wonderful! This causes more work for the gang which means it costs them more to commit their crimes.”
“Any action against botnets is a good thing,” agrees Qualys CTO Wolfgang Kandek.
I agree that any action against a botnet is a good thing, but the primary goal behind Microsoft’s innovative two-pronged attack to shut down Waledac was to cut off a major source of spam. Qualys’ Kandek says that Operation b49 will have some impact on spam, but that “Waledac is not one of the major spam sources.”
“The real measurement is not how much spam this reduces, but rather if this type of action becomes another tool to combat the problem,” suggests Abrams. “The more approaches that can effectively be used, the better the war can be fought. This may well be a step toward an effective blended attack against botnets.”
Order in the Court
Generally speaking, laws themselves are not a deterrent for cyber-attacks or malware. Those who execute attacks and develop malware already know they’re breaking the law, and obviously don’t care. If they had a moral compass and ethical framework to comply with the laws, they wouldn’t be creating botnets to begin with.
This is a different sort of approach though. Microsoft didn’t seek to criminally charge the botnet developer, or sue for damages in civil court. It sought an ex parte restraining order to shut down the operation from within.
Randy Abrams explains “Court orders are one attack vector. I think this is an important development and may be used more frequently, it isn’t a panacea, but it is a weapon that causes disruption and helps in the battle.”
Court orders are a viable method of combating botnets according to Kandek as well. “Yes, but we are still in the early stages to see what legal methods apply and how legislation will have to be adapted to the new realities of the international operations of botnet operators.”
Have to Start Somewhere
There are pros and cons to Microsoft’s approach with Operation b49, but doing something is better than doing nothing, and you have to start somewhere.
Abrams notes “The pro is that it exposes a flank of the enemy. The con is that going through courts can be time consuming. There may be ways to streamline the process going forward and Microsoft has the legal resources to do this well.”
“There are no botnet nukes. Fundamentally such a weapon would have unacceptable collateral damage. This is a battle that will require an extensive arsenal of conventional weapons and innovative strategies. Trial and error will be part of the process. Court orders and domain take downs are essential weapons to have in the arsenal,” concludes Abrams.
Kandek sums up “I only see positive effects, we need better publicity on botnet penetration and the damages associated with it.”