Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Inside Microsoft botnet takedowns

Tim Greene | Sept. 26, 2012
When Microsoft took extraordinary steps earlier this month to disrupt the Nitol botnet it was the fifth time its Digital Crimes Unit had taken action against such threats, each time expanding its technical and legal toolkit for making it harder and more expensive to run cybercrime enterprises.

So Microsoft put in a bid for an ex parte hearing, meaning a judge listened to just one party without the other being present and to approve legal action against the other party without notifying them. It's an extraordinary remedy, but the judge deemed it an extraordinary circumstance, he says. The other party does get to present its side but at a later date. In the case of Waledac, the tactic gave Microsoft time to seize 277 domain names and shut them down.

Next they went after Rustock, a botnet specializing in sending spam to lure victims into buying counterfeit pharmaceuticals using trademarks of Pfizer and Microsoft in the process. The case explored new legal ground by applying the Lanham Act -- a law that is typically used to seize counterfeits such as knockoff handbags and watches before the counterfeiters can move them -- to cybercrime. Microsoft, along with Pfizer, University of Washington and FireEye, won an order to seize the Rustock command and control servers from ISPs in seven U.S. cities.

From those servers Microsoft learned about domains Rustock might use as rendez-vous points for the botnet after its C&C servers were taken down. The company bought up those domains.

In the case of the Kelihos spambot, subdomains of a particular domain were used for malicious purposes, but because of the way domain registration goes, it's difficult to find out to whom subdomains are registered and the domain owner may not know who controls the subdomain, he says.

But a new legal argument gave Microsoft the standing to again seize an entire domain to shut Kelihos down, Boscovich says. The argument goes that if the domain owner, as part of its agreement with registrants, requires that they not carry on illegal activities, by extension that contract applies to Microsoft because it can benefit or be harmed depending on how the registrant behaves.

In that scenario Microsoft becomes a third-party contractual beneficiary, he says, giving it standing to seek legal action for malicious activity the registrant might engage in. "It's a creative way to obtain remedies that we wanted," Boscovich says.

In the case of Kelihos, Microsoft took offline an entire domain consisting of several hundred thousand subdomains, leaving the company to negotiate an agreeable settlement with the owner of the domain, Dominique Alexander Piatti, on which to bring back up.

Kelihos wasn't as massive as Rustock, but Microsoft decided to go after it because its code seemed linked to Waledac's. "Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused," according to a Microsoft Malware Protection Center blog from January 2011.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.