A British security researcher who helped the FBI crack the DNSChanger Trojan botnet last year has branded Microsoft’s civil strategy for taking down the Zeus botnet as “dumb”.
Yesterday, Microsoft announced its fourth ‘legal and technical’ takedown of control servers for the Zeus botnet that has infected over 13 million Windows computers since 2007 and is responsible for over $100 million in online theft-related losses to financial institutions over five years.
Microsoft in late March applied under civil law for a US court to authorise it to seize the command and control infrastructure of the Zeus botnet without knowing the actual identities of those involved.
In its complaint, Microsoft refers to 39 “John Does”, detailing each of the accused’s multiple online handles, email addresses, their relationships, and their alleged roles in the crime ring, ranging from coders to money mule recruiters as well as the Zeus creators themselves.
However, the complaint suggests Microsoft doesn’t have their actual names, and this is British-based Trend Micro malware researcher Rik Ferguson’s main reason for describing Redmond’s strategy “dumb”.
The details in Microsoft’s complaint “makes clear the extent of intelligence the security industry has on those sorts of activities,” Ferguson told iTnews on Tuesday.
"[Microsoft] made it very clear how much intelligence the security industry -- and this is not Microsoft but the security industry -- has gained and shared through working groups," he said.
“That model of cooperation gets broken when someone decides to go on their own initiative of civil action instead of waiting for the cooperative action that is ultimately successful in bringing individuals to justice."
Microsoft did credit two security companies for aiding its work on Zeus - Finnish security vendor F-Secure and US-based security firm Kyrus Tech Inc, which reverse engineered the Trojan.
Microsoft has used a similar ‘civil’ approach for the “successful” takedowns of Waledec, Rustock, and more recently a relatively minor botnet, Kelihos. Details of these can be found on Microsoft’s Digital Crimes Unit blog.
In each case Microsoft seized command and control infrastructure without knowing the names of those actually behind the botnet.
Despite severely disrupting those operations, it has had little success in finding those responsible.
“I think what I object to more strongly in terms of that sort of activity is that it’s being pursued through civil means rather than criminal means,” Ferguson said.
Winning or spinning the war on botnets?
While the main focus is disrupting major botnets, there has been a lot of spin behind Microsoft's takedown campaigns.
Last year, Microsoft offered an up-to $250,000 bounty for information leading to the capture of those responsible for Rustock, and placed advertisements in several major Russian newspapers to support the search.
Each campaign has involved the support of major industry players, such as pharmaceutical giant Pfizer, which threw its weight behind Microsoft's Rustock takedown.
Intellectual property losses aside, Pfizer claimed in a written declaration that Rustock was promoting drugs that contained the wrong ingredients and incorrect doses.
“Yes, Microsoft used a similar technique against Waladec, Rustock and Kelihos, but how many arrests have we seen in those cases?” asked Ferguson.
“I’m fairly confident that the answer is none. It’s not the most effective way to pursue the criminals behind those activities."
However, Microsoft appeared to have made ground in the Kelihos case earlier this year after naming the alleged creator as a US-based Russian coder, who quickly denied the allegations on his personal blog.
Microsoft defends its approach
Richard Boscovich, senior attorney at Microsoft Digital Crimes Unit defends the company’s botnet takedown strategy, and told iTnews “not to assume that Microsoft, nor its partners, necessarily divulge all of the intelligence they possess in the initial pleadings.”
Here’s Boscovich’s statement in full:
“Microsoft’s first priority in taking action against cybercrime is to help protect customers while also advancing enforcement and disruptive approaches that increase risk and costs for cybercriminals to put them out of business or deter crime in the first place.
“Microsoft also remains committed to following botnet cases wherever they lead the company and to holding those responsible accountable for their actions. For instance, Microsoft recently named a new defendant in the civil legal case on Kelihos and the company continues to move forward with those legal proceedings.
“Meanwhile, in the Rustock botnet case, after closing our civil case, we made a criminal referral to the FBI. With each new botnet operation, Microsoft will continue to keep all of its options open and that does include referring the matter to law enforcement when appropriate. Lastly, I would not assume that Microsoft, nor its partners, necessarily divulge all of the intelligence they possess in the initial pleadings.”
Microsoft’s civil suits are the exact opposite of how Trend Micro helped the FBI tackle the “Esthost botnet”, a four million strong botnet spread through the DNSchanger Trojan.
The botnet was to an extent disabled after Estonian authorities arrested six individuals as part of the FBI's Operation GhostClick, which identified the Estonian company Rove as the key entity behind the fraud ring.
The FBI may have made its arrests while Microsoft is still searching, but DNSChanger is still causing problems.
In March this year the FBI sought and obtained a court order to extend the period it could maintain “clean DNS servers” so that it could assist victims still running DNSChanger infected systems.
Ferguson said, in contrast to Microsoft's approach, Trend Micro withheld information it had on the botnet operators for six years before divulging anything to the public.
But the two botnets’ ambitions and ultimate victims were different. Zeus sought online banking credentials and, like Rustock, took its toll on a well-funded and organised industry. The DNSChanger Trojan by contrast sought vulnerable PCs in order to monetise fraudulent clicks.
In other words, Rove’s victims were smaller fry and distributed, such as online ad networks and consumers who bought fake antivirus, compared to the financial sector -- represented by the two organisations that aided Microsoft’s civil suit against Zeus’ operators.
The scale of the crimes the two botnets were responsible for were different too.
Financial institutions allegedly suffered losses greater than $100 million over five years due to Zeus, while Rove earned $14 million in “illicit fees”, according to the FBI.
Ferguson insists these actions should be brought under criminal law, and not decided “unilaterally” by Microsoft.
“If the FBI are involved, that’s the model we should all be working towards,” Ferguson said.
“Making sure that we, as an industry, provide them with the right information and the intelligence in a timely fashion to be able to pursue criminal proceedings against individuals.
“In this case it’s a civil action and it’s very much been a unilateral decision by Microsoft. Well, a decision by Microsoft, and those two trade bodies that launched these proceedings. They are the complainants. It’s not a criminal suit.”