Microsoft Obtains Court Order to Shut Down Botnet | PCMag.com

An operation of the Microsoft Digital Crimes Unit (DCU) has taken down a large number of command and control (C&C) servers for the Waledac botnet. Waledac is a major spammer botnet.

After months of technical research and investigation, Microsoft sought and received a temporary restraining order in a Northern Virginia federal court for VeriSign, operators of the .COM and .NET top-level domains, to remove registrations for 273 domains.

Click here to see the complaint. The domains are listed in the complaint; I did some checks and some are still up and running, though Microsoft claims that the order was executed and has already cut heavily into Waledac traffic. We don't know if they are serving the botnet, but some are serving parked web pages.

Botnets use large numbers of domains as part of "fast flux networks" in order to hide the actual C&C servers. They rapidly change the servers by changing the authoritative DNS for the domains to various IP addresses for bots in the botnet. As Microsoft states in the complaint, the domain registrar is the lone single choke point for those domains, at least for those in the .com and .net spaces.

The possibility of using registrars for this purpose is an old one, but there is no good mechanism for using it. In this case, a company like Microsoft has the resources to do research and bring a legal challenge, but the courts aren't an efficient way to deal with the problem. For their part, VeriSign probably has no problem cooperating even absent a court order, but their agreement with ICANN to operate the registries probably precludes them from taking down domains simply at the request of a 3rd party. The need the court order.