Microsoft helps smash massive botnet

Microsoft announced this week, that together with industry partners, it has executed a major botnet takedown of Waledac, a large and well-known “spambot.”

Botnets are networks of compromised computers controlled by "bot herders" or "bot masters" that use the thousands (sometimes millions) of compromised machines to distribute adware, spyware, spam emails and launch DDoS attacks. Botnets are typically installed onto end users machines by web browser vulnerabilities, worms, Trojan horses, or backdoors. A "bot master" will then control the machines by IRC commands to launch attacks or send email spam.

Microsoft, a founding member of the Botnet Task Force, said it was proud to announce the take down of the Waledac botnet, known internally at Microsoft as “Operation b49". Tim Cranton, Associate General Counsel at Microsoft, said the result was due to months of investigation and legal strategy. "At Microsoft, we don’t accept the idea that botnets are a fact of life. Given the recent spread of botnets, we are getting even more creative and aggressive in the fight against botnets and all forms of cybercrime," he said in a statement.

A Federal Judge from the U.S. District Court of Eastern Virginia granted a temporary restraining order (PDF) cutting off 277 Internet domains associated with the Waledact botnet. The botnet was believed to have the capacity to send over 1.5 billion spam emails per day.  Microsoft claims that in December alone, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts. The emails included offers and scams related to online pharmacies, imitation goods and jobs. For the general Internet user hopefully this will result in less offers of Viagra, Nigerian lottery winnings and penis enlargement services. Wishful thinking?

Image of Waledac bot compromised computers

Report a problem with article
Previous Story

Virgin Media to offer 100Mb broadband by end of the year [UK]

Next Story

UN calls for action on tackling e-waste mountains

35 Comments

Commenting is disabled on this article.

Well done by Microsoft! Their effort in looking for new technology to protect our system from all forms of cybercrime is good for everybody in the Internet community.


this is the type of work I like to see...taking down these destructive networks and the owners..

this helps everyone on the information highway move around smoothly....without all this garbage taking up much needed bandwidth..

I was surprised by the amount of people I knew who were stupid enough to fall for spam emails, the fake spam "Your Computer is Infected" software, and even how willing they were to give out their credit card numbers to people from these spam emails or software. These same people would then blame Windows for their lack of Antivirus or computer knowledge, and even blame their children for breaking the computers.

the only thing to blame for things like this is people who turn off automatic updates in their software, it's not a Windows problem or an IRC problem.

For every botnet that uses IRC there's millions of legitimate users who need/like that control.

Just because terrorists fly planes doesn't mean we should ban all aircraft. Even if IRC was done away with (which would be almost impossible anyway) they'd just find another channel.

bmaher said,
For every botnet that uses IRC there's millions of legitimate users who need/like that control.

Just because terrorists fly planes doesn't mean we should ban all aircraft. Even if IRC was done away with (which would be almost impossible anyway) they'd just find another channel.

theyd use twitter insted ;)

bmaher said,
For every botnet that uses IRC there's millions of legitimate users who need/like that control.

Just because terrorists fly planes doesn't mean we should ban all aircraft. Even if IRC was done away with (which would be almost impossible anyway) they'd just find another channel.

Indeed! Most bots have their own written IRC code. There is nothing stopping them from using port 80, either. Then would the solution be to shut down HTTP traffic? :P

bmaher said,
For every botnet that uses IRC there's millions of legitimate users who need/like that control.

Just because terrorists fly planes doesn't mean we should ban all aircraft. Even if IRC was done away with (which would be almost impossible anyway) they'd just find another channel.


You probably don't realize just how many people there are that control a botnet or have ties to someone who does. While there are users who do use it for what it's intended for, I don't feel that's enough justification to keep IRC around.

Also, Your plane analogy falls apart since one would have to physically take over control an aircraft to do anything with it or go through the channels to obtain an airplane. IRC doesn't need much effort to get it up and running. All one needs is a server which they can host from their own home, and it costs little to no money.

On technicalities, IRC would be very hard to rid of due to its nature. One could block the main ports, but all they'll need to do is open up some more and problem solved. Close a server down, another pops up. There's just no stopping it.

xiphi said,
You probably don't realize just how many people there are that control a botnet or have ties to someone who does. While there are users who do use it for what it's intended for, I don't feel that's enough justification to keep IRC around.
Hmm... so we should close down the neowin irc server? or perhaps [url="http://en.wikipedia.org/wiki/Freenode"]freenode[/url] which I would have to say is one of the largest ones out there?

xiphi said,

You probably don't realize just how many people there are that control a botnet or have ties to someone who does. While there are users who do use it for what it's intended for, I don't feel that's enough justification to keep IRC around.

Also, Your plane analogy falls apart since one would have to physically take over control an aircraft to do anything with it or go through the channels to obtain an airplane. IRC doesn't need much effort to get it up and running. All one needs is a server which they can host from their own home, and it costs little to no money.

On technicalities, IRC would be very hard to rid of due to its nature. One could block the main ports, but all they'll need to do is open up some more and problem solved. Close a server down, another pops up. There's just no stopping it.

I dont think you really fully understand irc to be honest, you making it sound like IRC was only set up for botnets which isnt the case, the irc protocol is so simple to use which is why its used for a lot of things, if you some how managed to get rid of IRC they will just go on to other prrotocols, not all botnets run from irc servers that are modified anyway

Fubar said,

I dont think you really fully understand irc to be honest, you making it sound like IRC was only set up for botnets which isnt the case, the irc protocol is so simple to use which is why its used for a lot of things, if you some how managed to get rid of IRC they will just go on to other prrotocols, not all botnets run from irc servers that are modified anyway


Um, I fully "understand" IRC. I most likely have seen a lot more than you have. You just seem to blind to the fact that IRC is now used mainly as a tool for such things as botnets. I know exactly what I'm talking about. The people who control these botnets aren't going to admit they do such a thing. They won't tell how they do it, where they do it, or even why. Unless you're socially smart enough to trick them into telling you anything, it's not going to happen. Neowin may not have any such activity on their IRC network, but it's just one network out of thousands. Like I said before, it's impossible to stop it due to its nature.


Also, to the person who said they'd use twitter. That will only work for so long. It's waaaaaaaaaaaaay too easy to spot accounts used for such a thing, and does not give the user the control IRC gives them. Only an amateur would use Twitter.

Edited by , Feb 25 2010, 9:48pm :

If IRC was done away with, I'm sure it'd solve half the problem. IRC gives users way too much control. For example, an IRCd could give the Network Admin the ability to make the botnets invisible to users and only respond to certain people.

How do you do away with a protocol? And what are you talking about? IRC gives users exactly as much control as its designed to. They can make channels, manage the channels, and send text messages. That's it. Are you suggesting that botnet owners shut down their own irc servers? Nothing you said makes any sense.

Edited by Memnochxx, Feb 25 2010, 2:33pm :

Memnochxx said,
How do you do away with a protocol? And what are you talking about? IRC gives users exactly as much control as its designed to. They can make channels, manage the channels, and send text messages. That's it. Are you suggesting that botnet owners shut down their own irc servers? Nothing you said makes any sense.

Have you even been on IRC or managed your own server? Looks like you just read the wikipedia entry and posted here. You obviously know nothing about IRC.

I've been using IRC for 9 years, your suggestion that it could be eliminated or that its elimination would prevent botnets from using similar custom socket communication is laughable.

Edited by Memnochxx, Feb 25 2010, 11:47pm :

xiphi said,
...nonsense about killing irc just because of how a few people use it...
The Internet allows people to share pornographic pictures of chidren. The Risks outweight the benefit of having an internet, ergo we should ban the internet.

I really don't understand why keep covering all the (too many) problems with Windows XP, a really AGING Os. Enough is enough. Enterprises HAVE to upgrade to Windows Vista or Windows 7. Period.

DaveGreen said,
I really don't understand why keep covering all the (too many) problems with Windows XP, a really AGING Os. Enough is enough. Enterprises HAVE to upgrade to Windows Vista or Windows 7. Period.

The flaw that this botnet took advantage of was present in everything from Windows 2000 through Server 2008 R2, it wasn't just limited to XP.

DaveGreen said,
I really don't understand why keep covering all the (too many) problems with Windows XP, a really AGING Os. Enough is enough. Enterprises HAVE to upgrade to Windows Vista or Windows 7. Period.

Not all companies have the extra money to spend on that upgrade right now.

roadwarrior said,

The flaw that this botnet took advantage of was present in everything from Windows 2000 through Server 2008 R2, it wasn't just limited to XP.

Per the security bulletin metnioned above, not 2008 R2, just Server 2008. Still, your point stands.

pickypg said,

Not all companies have the extra money to spend on that upgrade right now.

Its not that they don't have the money its that they don't budget for it. They take the saying "if it ain't broke, don't fix it" WAY to far. Going 10 years(win2000, or 8.5yrs for XP) with the same operating system is just being a tightass. I would think increased productivity by upgrading to faster computers and better OSs, having less BSODs, and being less susceptible to security holes(DEP,ASLR), would be enough of an incentive to unclench and reposition some money to the IT budget.

The money is there they just don't think they need to spend any of it on computers that still work. I have an old Pentium 100mhz that still works does that mean I should never have upgraded to a new computer?