Operation b49 became a proof-of-concept strategy which continues to be used – using civil law to shut down botnet command and control servers. Most recently, it was used to take down Rustock, Kelihos, and Zeus.
As of March 2011, Microsoft believe there to be 22,000 IPs remaining infected by Waledac.
“The key thing is to disrupt the botnet and its infrastructure, while increasing the cost [to the cyber attackers]”, said Richard Bosovich, senior attorney at DCU.
His claims echoed that of his colleague, Jonathon Ness, who also spoke on the importance of decreasing ROI for attackers. “It takes them time and money to regroup and redevelop hijacking malware”, Bosovich explained.
In the time gained from disrupting the botnet, Microsoft are able to work with victims to clean computers and refer the intelligence gathered to law enforcement authorities. When questioned about the allegation that Microsoft has disrupted law enforcement operations associated with the downed botnets, Bosovich said “We are working to ensure interference with other groups is minimised.”
Criminal investigations into the Kelihos and other botnets are still ongoing.