Microsoft defends 'dumb' civil Zeus strategy

Powered by SC Magazine
 

Should Redmond have left it to the FBI?

A British security researcher who helped the FBI crack the DNSChanger Trojan botnet last year has branded Microsoft’s civil strategy for taking down the Zeus botnet as “dumb”.  

Yesterday, Microsoft announced its fourth ‘legal and technical’ takedown of control servers for the Zeus botnet that has infected over 13 million Windows computers since 2007 and is responsible for over $100 million in online theft-related losses to financial institutions over five years. 

Microsoft in late March applied under civil law for a US court to authorise it to seize the command and control infrastructure of the Zeus botnet without knowing the actual identities of those involved.

In its complaint, Microsoft refers to 39 “John Does”, detailing each of the accused’s multiple online handles, email addresses, their relationships, and their alleged roles in the crime ring, ranging from coders to money mule recruiters as well as the Zeus creators themselves. 

However, the complaint suggests Microsoft doesn’t have their actual names, and this is British-based Trend Micro malware researcher Rik Ferguson’s main reason for describing Redmond’s strategy “dumb”

The details in Microsoft’s complaint “makes clear the extent of intelligence the security industry has on those sorts of activities,” Ferguson told iTnews on Tuesday.

"[Microsoft] made it very clear how much intelligence the security industry -- and this is not Microsoft but the security industry -- has gained and shared through working groups," he said.

“That model of cooperation gets broken when someone decides to go on their own initiative of civil action instead of waiting for the cooperative action that is ultimately successful in bringing individuals to justice."

Microsoft did credit two security companies for aiding its work on Zeus - Finnish security vendor F-Secure and US-based security firm Kyrus Tech Inc, which reverse engineered the Trojan.

Microsoft has used a similar ‘civil’ approach for the “successful” takedowns of Waledec, Rustock, and more recently a relatively minor botnet, Kelihos. Details of these can be found on Microsoft’s Digital Crimes Unit blog.

In each case Microsoft seized command and control infrastructure without knowing the names of those actually behind the botnet.

Despite severely disrupting those operations, it has had little success in finding those responsible.

“I think what I object to more strongly in terms of that sort of activity is that it’s being pursued through civil means rather than criminal means,” Ferguson said.

Winning or spinning the war on botnets?

While the main focus is disrupting major botnets, there has been a lot of spin behind Microsoft's takedown campaigns.

Last year, Microsoft offered an up-to $250,000 bounty for information leading to the capture of those responsible for Rustock, and placed advertisements in several major Russian newspapers to support the search. 

Each campaign has involved the support of major industry players, such as pharmaceutical giant Pfizer, which threw its weight behind Microsoft's Rustock takedown.

Intellectual property losses aside, Pfizer claimed in a written declaration that Rustock was promoting drugs that contained the wrong ingredients and incorrect doses. 

“Yes, Microsoft used a similar technique against Waladec, Rustock and Kelihos, but how many arrests have we seen in those cases?” asked Ferguson.

“I’m fairly confident that the answer is none. It’s not the most effective way to pursue the criminals behind those activities."

However, Microsoft appeared to have made ground in the Kelihos case earlier this year after naming the alleged creator as a US-based Russian coder, who quickly denied the allegations on his personal blog.

Microsoft defends its approach

Richard Boscovich, senior attorney at Microsoft Digital Crimes Unit defends the company’s botnet takedown strategy, and told iTnews “not to assume that Microsoft, nor its partners, necessarily divulge all of the intelligence they possess in the initial pleadings.”

Here’s Boscovich’s statement in full:

“Microsoft’s first priority in taking action against cybercrime is to help protect customers while also advancing enforcement and disruptive approaches that increase risk and costs for cybercriminals to put them out of business or deter crime in the first place. 

“Microsoft also remains committed to following botnet cases wherever they lead the company and to holding those responsible accountable for their actions. For instance, Microsoft recently named a new defendant in the civil legal case on Kelihos and the company continues to move forward with those legal proceedings. 

“Meanwhile, in the Rustock botnet case, after closing our civil case, we made a criminal referral to the FBI.  With each new botnet operation, Microsoft will continue to keep all of its options open and that does include referring the matter to law enforcement when appropriate.  Lastly, I would not assume that Microsoft, nor its partners, necessarily divulge all of the intelligence they possess in the initial pleadings.”

Microsoft’s civil suits are the exact opposite of how Trend Micro helped the FBI tackle the “Esthost botnet”, a four million strong botnet spread through the DNSchanger Trojan.

The botnet was to an extent disabled after Estonian authorities arrested six individuals as part of the FBI's Operation GhostClick, which identified the Estonian company Rove as the key entity behind the fraud ring. 

The FBI may have made its arrests while Microsoft is still searching, but DNSChanger is still causing problems.

In March this year the FBI sought and obtained a court order to extend the period it could maintain “clean DNS servers” so that it could assist victims still running DNSChanger infected systems.

Ferguson said, in contrast to Microsoft's approach, Trend Micro withheld information it had on the botnet operators for six years before divulging anything to the public.

But the two botnets’ ambitions and ultimate victims were different. Zeus sought online banking credentials and, like Rustock, took its toll on a well-funded and organised industry. The DNSChanger Trojan by contrast sought vulnerable PCs in order to monetise fraudulent clicks. 

In other words, Rove’s victims were smaller fry and distributed, such as online ad networks and consumers who bought fake antivirus, compared to the financial sector -- represented by the two organisations that aided Microsoft’s civil suit against Zeus’ operators. 

The scale of the crimes the two botnets were responsible for were different too. 

Financial institutions allegedly suffered losses greater than $100 million over five years due to Zeus, while Rove earned $14 million in “illicit fees”, according to the FBI.    

Ferguson insists these actions should be brought under criminal law, and not decided “unilaterally” by Microsoft. 

“If the FBI are involved, that’s the model we should all be working towards,” Ferguson said.

“Making sure that we, as an industry, provide them with the right information and the intelligence in a timely fashion to be able to pursue criminal proceedings against individuals. 

“In this case it’s a civil action and it’s very much been a unilateral decision by Microsoft. Well, a decision by Microsoft, and those two trade bodies that launched these proceedings. They are the complainants. It’s not a criminal suit.” 

Copyright © iTnews.com.au . All rights reserved.


Microsoft defends 'dumb' civil Zeus strategy
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1445

Vote