Skip Links

Inside Microsoft botnet takedowns

Weapon of choice to beat botnets is a legal-technology one-two punch

By , Network World
September 25, 2012 10:48 AM ET

Network World - When Microsoft took extraordinary steps earlier this month to disrupt the Nitol botnet it was the fifth time its Digital Crimes Unit had taken action against such threats, each time expanding its technical and legal toolkit for making it harder and more expensive to run cybercrime enterprises.

Using a creative interpretation of some common law precedents as well as the U.S. Computer Fraud and Abuse Act, DCU won a court order granting Microsoft control over an entire Internet domain to which it had traced command and control servers that rode herd over the botnet.

NEW TRICK: Botnet masters hide command and control server inside the Tor network

DEFENSE: Botnet or human? Black Lotus service sorts them out to block DDoS attacks

The company then used new technology from partner firm Nominum to disable only those subdomains proven to harbor malicious activities, leaving the rest to function unmolested.

While the effort doesn't guarantee the demise of Nitol it does make things more difficult for the people behind it, and it serves notice to other criminals that Microsoft might strike them at any time, says Richard Boscovich, assistant general counsel for the DCU.

All the DCU's efforts are intended to make it more expensive for criminals to run their enterprises and add risk when they do, he says. By increasing the cost of doing business, he hopes there will be less crime. Each time criminals suffer a setback, it takes them more time and money to create more sophisticated code in order to stay in business. And since not everyone has the talent fewer people will be able to do it, and it will cost more.

The DCU has just 11 members or so, augmented by tapping the resources of other departments within Microsoft as well as technology partners, universities and CERTs throughout the world with which it pieces together teams devoted to each assault against Internet criminals, says TJ Campana, the director of DCU.

These teams are made up of 10 to 20 individuals. "They're small enough to be nimble but they can draw on the large resources of Microsoft," he says. Keeping them small also reduces the chance of leaks. Also, the teams are told that they are running the show, giving them ownership of the project, Campana says.

DCU was set up in 2003 as a joint legal and technical group based at Microsoft headquarters in Redmond, Wash., with some members based in Europe and some in Asia. In 2009 it became part of Microsoft Active Response for Security (MARS) a collaboration of DCU, Microsoft Malware Protection Center and Microsoft Trustworthy Computing specifically to combat botnets. The new group created a top threats list and started planning legal and technical approaches to address the targets.

By February 2010, it took down Waledac botnet with the goal of dismantling its command and control servers. Traditional courts and actions by the Internet governing body Internet Corporation for Assigned Names and Numbers (ICANN) let criminals know ahead of time that they had been found out. "It took too long, and it let the domain owner who was dirty know," says Boscovich.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News