Botnets—large networks of malware-infected PCs remotely controlled by criminals—are a serious problem on the Internet. The spam, phishing attacks, and malware that these networks send accounts for a massive proportion, in excess of 80 percent, of e-mail traffic. One such network, known as Waledac, has been stopped in its tracks after Microsoft got a court to issue a secret temporary restraining order. The restraining order took 277 domain names used by the criminals to communicate with the botnet offline. Without these domain names, it is hoped that the controllers of the botnet will permanently lose access to the machines running their malware.

The Waledac botnet is presumed to be run by Eastern Europeans and to be made up of hundreds of thousands of compromised machines. It sends hundreds of millions, if not billions, of e-mails each day, as well as distributes malware to help recruit new machines to the network. Microsoft's complaint describes in detail how the botnet is organized, with a complex hierarchical control system. At the root of the system is the command-and-control servers. The botnet uses the 277 domain names to connect to the command and control servers to download new commands. These commands are then distributed through the different tiers of the network using peer-to-peer transmission.

By obtaining the restraining order, this command-and-control system was disrupted; with the domain names offline, the machines in the botnet were no longer able to locate their control servers, rendering them mostly harmless. The court action had to be taken in secret to avoid warning the botnet's operators; with sufficient warning, they might have been able to set up new domain names and new control systems, thereby circumventing Microsoft's efforts. The names have now been offline for three days, presumably sufficient to cause permanent disruption, and the injunction is now public.

Similar action against past botnets has been attempted by security researchers before, but the results were only temporary as new command and control servers were set up. Microsoft's intent is for this action to be more permanent. "Operation b49," as Redmond has called it internally, still has further work to do to ensure that the peer-to-peer communication between computers in the botnet is disrupted.

This is critical if the mission is to be successful; the company notes that the operation is not a "silver bullet," as it does not remove the malware from the infected PCs. Though the operation has taken them out of the hands of the hackers, they are still infected, and are still trying to contact the control system. The ultimate solution is for those with infected PCs to ensure that they are patched and have the malware removed as soon as possible.

Even if Operation b49 is ultimately successful and the Waledac network is taken offline, it unfortunately generates only a small fraction of the spam sent each day. Microsoft insists that this will not be the last such action, and that we should "stay tuned" for more. The botnets have had the upper hand for many years now; if this action has lasting success, it could be the first real step in the fight against spam.