Inside Microsoft botnet takedowns

Weapon of choice to beat botnets is a legal-technology one-two punch

When Microsoft took extraordinary steps earlier this month to disrupt the Nitol botnet it was the fifth time its Digital Crimes Unit had taken action against such threats, each time expanding its technical and legal toolkit for making it harder and more expensive to run cybercrime enterprises.

Using a creative interpretation of some common law precedents as well as the U.S. Computer Fraud and Abuse Act, DCU won a court order granting Microsoft control over an entire Internet domain to which it had traced command and control servers that rode herd over the botnet.

NEW TRICK: Botnet masters hide command and control server inside the Tor network

DEFENSE: Botnet or human? Black Lotus service sorts them out to block DDoS attacks

The company then used new technology from partner firm Nominum to disable only those subdomains proven to harbor malicious activities, leaving the rest to function unmolested.

While the effort doesn't guarantee the demise of Nitol it does make things more difficult for the people behind it, and it serves notice to other criminals that Microsoft might strike them at any time, says Richard Boscovich, assistant general counsel for the DCU.

All the DCU's efforts are intended to make it more expensive for criminals to run their enterprises and add risk when they do, he says. By increasing the cost of doing business, he hopes there will be less crime. Each time criminals suffer a setback, it takes them more time and money to create more sophisticated code in order to stay in business. And since not everyone has the talent fewer people will be able to do it, and it will cost more.

The DCU has just 11 members or so, augmented by tapping the resources of other departments within Microsoft as well as technology partners, universities and CERTs throughout the world with which it pieces together teams devoted to each assault against Internet criminals, says TJ Campana, the director of DCU.

These teams are made up of 10 to 20 individuals. "They're small enough to be nimble but they can draw on the large resources of Microsoft," he says. Keeping them small also reduces the chance of leaks. Also, the teams are told that they are running the show, giving them ownership of the project, Campana says.

DCU was set up in 2003 as a joint legal and technical group based at Microsoft headquarters in Redmond, Wash., with some members based in Europe and some in Asia. In 2009 it became part of Microsoft Active Response for Security (MARS) a collaboration of DCU, Microsoft Malware Protection Center and Microsoft Trustworthy Computing specifically to combat botnets. The new group created a top threats list and started planning legal and technical approaches to address the targets.

By February 2010, it took down Waledac botnet with the goal of dismantling its command and control servers. Traditional courts and actions by the Internet governing body Internet Corporation for Assigned Names and Numbers (ICANN) let criminals know ahead of time that they had been found out. "It took too long, and it let the domain owner who was dirty know," says Boscovich.

So Microsoft put in a bid for an ex parte hearing, meaning a judge listened to just one party without the other being present and to approve legal action against the other party without notifying them. It's an extraordinary remedy, but the judge deemed it an extraordinary circumstance, he says. The other party does get to present its side but at a later date. In the case of Waledac, the tactic gave Microsoft time to seize 277 domain names and shut them down.

Next they went after Rustock, a botnet specializing in sending spam to lure victims into buying counterfeit pharmaceuticals using trademarks of Pfizer and Microsoft in the process. The case explored new legal ground by applying the Lanham Act -- a law that is typically used to seize counterfeits such as knockoff handbags and watches before the counterfeiters can move them -- to cybercrime. Microsoft, along with Pfizer, University of Washington and FireEye, won an order to seize the Rustock command and control servers from ISPs in seven U.S. cities.

From those servers Microsoft learned about domains Rustock might use as rendez-vous points for the botnet after its C&C servers were taken down. The company bought up those domains.

In the case of the Kelihos spambot, subdomains of a particular domain were used for malicious purposes, but because of the way domain registration goes, it's difficult to find out to whom subdomains are registered and the domain owner may not know who controls the subdomain, he says.

But a new legal argument gave Microsoft the standing to again seize an entire domain to shut Kelihos down, Boscovich says. The argument goes that if the domain owner, as part of its agreement with registrants, requires that they not carry on illegal activities, by extension that contract applies to Microsoft because it can benefit or be harmed depending on how the registrant behaves.

In that scenario Microsoft becomes a third-party contractual beneficiary, he says, giving it standing to seek legal action for malicious activity the registrant might engage in. "It's a creative way to obtain remedies that we wanted," Boscovich says.

In the case of Kelihos, Microsoft took offline an entire domain consisting of several hundred thousand subdomains, leaving the company to negotiate an agreeable settlement with the owner of the domain, Dominique Alexander Piatti, on which to bring back up.

Kelihos wasn't as massive as Rustock, but Microsoft decided to go after it because its code seemed linked to Waledac's. "Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused," according to a Microsoft Malware Protection Center blog from January 2011.

Microsoft says it didn't want criminals to think that Microsoft would let them rebuild their networks by simply tinkering with their old code.

In March of this year, Microsoft, Financial Services - Information Sharing and Analysis Center (FS-ISAC) and NACHA (the electronic payments association) teamed up to get court permission to seize servers associated with the worst instances of the password-stealing Zeus botnet. They seized two IP addresses and secured 800 domains that they monitored to identify the bots under Zeus control.

They also named two people as defendants in a civil case involving Zeus, one of the rare times they have been able to track illegal activities to specific persons.

Earlier this month Microsoft went after Nitol, a serendipity that arose from a Microsoft investigation into pirated software being loaded onto brand-new computers in China and sold as legitimate Windows machines. One of the computers came not only with a pirated operating system, but it was also infected with Nitol, which enlists computers into botnets that can be used for a variety of illegal activities. It also enables downloading further malware.

Initially the team had no intention of taking a disruptive action against Nitol, but when further investigation led to a domain known as a haven for malicious activity, it decided it had to do something. The company traced more than 560 types of malware lurking in the domain.

Boscovich says the action was targeted so as not to disrupt legitimate users of the domain by taking down the entire domain. This tactic was so effective that it will likely become a standard tool, he says.

"This opens the door for future actions," he says, which are imminent.

"You'll see more from us," says Campana.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022