Researchers slam Microsoft for botnet takedown tactics

Battle brewing over right and wrong way to take down botnets.
  • Liam Tung (CSO Online)
  • — 17 April, 2012 13:50

Dutch security outfit Fox-IT has slammed Microsoft for publicly releasing “restricted data” to support its “legal-technical” takedown of the Zeus botnet last month.

In a lengthy complaint, Fox-IT claims Microsoft’s civil action and seizure of command infrastructure was a publicity stunt that jeopardised “countless” public and privacy sector investigations. The company claims it was a “major blow”.

On the day Microsoft announced its Zeus, SpyEye and ICE IX takedown and server seizure, it also published extensive details about the suspects behind the botnet.

Fox-IT is miffed that portions of Microsoft’s John Doe accounts, detailing the alleged operators behind the botnet, came directly from its own work which was meant to be limited to a group of researchers.

“This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data,” a Fox-IT spokesperson said on the company blog last week.

In addition, Fox-IT claims the “sinkhole” Microsoft established using servers it seized was not just collecting IP addresses as Microsoft claimed, but also personally identifiable information -- usernames, email addresses, passwords -- of Zeus victims.

The company joins others, such as UK-based Trend Micro security researcher Rik Ferguson, in publicly lashing out at Microsoft for inappropriately using data and pursuing a ‘civil’ court strategy that may not be producing results.

One question in the chicken and egg debate is whether ‘results’ means arresting suspects or reducing spam levels.

If it’s the former, Ferguson says Microsoft has failed, but if it’s the latter Microsoft’s Digital Crimes Unit boss Richard Boscovich reckons it is winning.

While Microsoft partially disabled the botnet, as it had with Rustock, Kelihos and Waladec, Ferguson argued it left the criminals behind the operation free to re-establish elsewhere.

He noted that Microsoft’s strategy had led to zero arrests, in contrast the six years of work Trend Micro prior to the FBI announcing six arrests under its Operation Ghostclick assault on the Esthost botnet.

Ferguson was furious that Microsoft used information he felt was clearly gained from security industry working groups, only to launch civil action. Instead, Microsoft should have been more patient and quietly gathered enough evidence to pursue criminal charges against the accused, he said.

Microsoft’s head of its Digital Crimes Unit Richard Boscovich has given a detailed response to Fox-IT’s claims to security writer, Brian Krebs.

Boscovich appears to defer blame for the data it uses in its legal submissions on the security partners it works with since Microsoft assumes “that the information they (the partners) provided is their own, or is freely available amongst them for the purpose of securing the internet.”

Boscovich said Microsoft's “civil” legal strategy is not designed to produce arrests, but rather to destabilise the network.

“Instead of trying to get the guys behind this, we said why don’t we just strike them where’s going to hurt them most?”

He added that any claim that civil action will destroy ongoing criminal investigations was a “fallacy, and near sighted”, naive and based on “not understanding how criminal investigations operate”.

Boscovich claims it has achieved success by reducing spam levels, but Ferguson points out that Microsoft’s civil strategy so far has led to zero arrests.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

AT&T hacker Weev released from prison after appeals court overturns conviction

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Risk Management Solutions

Create and deliver online assessments to identify business risks and track their mitigation and resolution.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.