Microsoft Dismisses Zeus Botnet Takedown Criticism

Tuesday, April 17, 2012



Last month, Microsoft teamed with a cross-sector coalition of interested parties in instigating the legal and technological assault that resulted in the seizure of multiple command and control servers operating a massive Zeus Trojan botnet.

It was the second occasion where the tech giant Microsoft used the power of the courts to strike at the heart of a massive botnet operation.

"In our most complex effort to disrupt botnets to date, Microsoft’s Digital Crimes Unit – in collaboration with Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association, as well as Kyrus Tech Inc. – has executed a coordinated global action against some of the worst known cybercrime operations fueling online fraud and identity theft today. With this legal and technical action, a number of the most harmful botnets using the Zeus family of malware worldwide have been disrupted in an unprecedented, proactive cross-industry operation against this cybercriminal organization," the Microsoft blog stated.

While it might be hard to find anyone disappointed in the disassembly of a criminal botnet, critics are nonetheless deriding some of Microsoft's actions in the leadup to the operation, according to an article by Brian Krebs.

"The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result," Krebs writes.

It seems that some of the researchers who track the activities of online criminal organizations are dismayed that Microsoft would take it upon themselves to openly disclose what they consider to be confidential information.

"The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members)," Krebs explained.

Dutch Fox IT issued a rebuke of Microsoft's efforts, claiming the company was more concerned with self-promotion and good public relations than with enabling the security community to effectively continue efforts to undermine criminal elements, and that the company likely violated the terms of non-disclosure agreements.

“This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with. It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved,” Fox IT's Michael Sandee wrote in a scathing blog post.

Krebs has posted a lengthy interview with Microsofts's Richard Boscovich, a former Department of Justice lawyer who was instrumental in formulating the company's legal strategy to takedown the Zeus botnet operation.

Boscovich said that the need for operational security to prevent leaks regarding the botnet takedown prevented the company from notifying some parties who may have contributed information key to the success of the operation.

In regards to the dissatisfaction generated by the disclosure of some researcher's data, Boscovich stated that he believed that the information was made available for the common good.

"Whenever we cooperate with the research community and industry partners, the assumption is that the information they provided is either their own, or is freely available amongst them for the purpose of securing the internet. They felt, we believe that all of this information should be used for the purpose for which it was intended: And that is to try to solve the problem and protect people who are being victimized by crime," Boscovich told Krebs.

As for the permission to use and disclose the data in question, Boscovich relayed that there may have been an elemnt of miscommunication with some parties, but that he believed the data was provided for the express purpose of mitigating threats.

"Now, there seems to be some allegations that there was information that one or two people provided to the research community –which is very large by the way — which for some reason they didn’t want to be acted upon. I don’t know what that means, but we only ask for information from our industry or academic partners that they believe is their own or is being freely shared in the community. The purpose for which we ask for this information is to reduce threat to consumers and people being victimized by crime. If there are any allegations that somehow Microsoft knew this was privileged information, the answer is absolutely not," Boscovich said.

Krebs goes on to pepper Boscovich with some difficult and straightforward questions regarding the botnet takedown operations, accusations of corporate "vigilanteism", and future use of information supplied by security researchers.

Given that this kind of activity is completely novel in the field of security, the Krebs interview is well worth a read.

Previously, Microsoft was instrumental in the Rustock botnet takedown. In February of 2011, Microsoft provided documentation that detailed the botnet's extensive structure in a federal court filing that was part of a lawsuit against a number of John Doe defendants.

Acting on the information Microsoft provided, federal marshals raided several internet hosting providers across the U.S. in March of 2011, seizing servers suspected of being used as Rustock command and control units.

Microsoft had also played a key role in efforts to shut down the Waledac botnet in 2010, though the operation continued functioning at a diminished capacity for a period, and some researchers believe that the infamous Kelihos botnet may have been another incarnation of the Waledac code.

In September of 2011, Microsoft obtained a court order to force Verisign to pull the plug on twenty-one domains associated with the Kelihos botnet spamming operation, which was believed to be controlling nearly fifty-thousand zombie machines.

Possibly Related Articles:
Viruses & Malware
Legal Microsoft Botnets Research Cyber Crime Confidentiality Headlines Information Security Brian Krebs
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.