An Update on Operation b49 and Waledac

Those of you who read an earlier post of mine know about Operation b49, our work to take down the Waledac botnet.  For those who don’t, I will summarize by saying that Microsoft’s Digital Crimes Unit, in partnership with Microsoft’s Trustworthy Computing team and the Microsoft Malware Protection Center, undertook a combination of technical measures and previously untried legal techniques to disrupt and control the Waledac botnet. It was apparent from our own and from independent telemetry that the technical measures were successful, and today we are providing an update on the novel legal aspects of this approach. 
Our intent with this approach was to both disable the command and control infrastructure of the botnet so that new commands could not be issued to the computers which were still infected with the malware and to maintain that control in the long term while working within the law. To date, we have seen virtually no reemergence of Waledac traffic. This puts the Waledac takedown among a very few successful efforts to shut down a botnet without having it re-emerge.
On July 12, we filed a legal motion asking the judge to give Microsoft control of the domains involved in the command and control because the defendants have not come forward to claim ownership of the domains (with the exception of one man in Oregon who came forward to reclaim his compromised domain).  We have gone to great lengths to reach the defendants through personal delivery, email, fax and postal mail as well as public notice provided on the Internet at We also have credible evidence to suggest that not only are they aware of the suit but they have attempted to retaliate against us (specifically, thousands of connections to the site from a single IP in Moscow as well as numerous probes for security vulnerabilities that would allow for SQL Injection or PHP Remote File Injection).
As you may have seen in USA Today this morning, Judge Anderson has indicated that he recommends that the court grant our request and permanently transfer ownership of the 276 domains used for command and control of the Waledac botnet to Microsoft. The current owners of those domains have 14 days to come forward with an objection, but we think that this is quite unlikely and that these results will be final.
Anyone who believes that they may be infected can find support and information and other resources (including no-cost tools to clean the computer) at Since our control of the C&C domains provides us visibility into the full scale of infected systems, we have also been working with ISPs to develop a course of action specific to each ISP for remediating infected systems on those providers. We are already beginning to see positive results even though we are at the beginning of this cleaning process.  We have other activities going on with CERTs internationally.
Operation b49 is the first initiative in the larger Project MARS (Microsoft Active Response for Security). As I have said before, there’s more to come. You can read more about today’s news on the Official Microsoft Blog.
Jeff Williams
Principal Group Program Manager
Microsoft Malware Protection Center

Comments (0)

Skip to main content