Researchers slam Microsoft for botnet takedown tactics

Battle brewing over right and wrong way to take down botnets.

Dutch security outfit Fox-IT has slammed Microsoft for publicly releasing “restricted data” to support its “legal-technical” takedown of the Zeus botnet last month.

In a lengthy complaint, Fox-IT claims Microsoft’s civil action and seizure of command infrastructure was a publicity stunt that jeopardised “countless” public and privacy sector investigations. The company claims it was a “major blow”.

On the day Microsoft announced its Zeus, SpyEye and ICE IX takedown and server seizure, it also published extensive details about the suspects behind the botnet.

Fox-IT is miffed that portions of Microsoft’s John Doe accounts, detailing the alleged operators behind the botnet, came directly from its own work which was meant to be limited to a group of researchers.

“This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data,” a Fox-IT spokesperson said on the company blog last week.

In addition, Fox-IT claims the “sinkhole” Microsoft established using servers it seized was not just collecting IP addresses as Microsoft claimed, but also personally identifiable information -- usernames, email addresses, passwords -- of Zeus victims.

The company joins others, such as UK-based Trend Micro security researcher Rik Ferguson, in publicly lashing out at Microsoft for inappropriately using data and pursuing a ‘civil’ court strategy that may not be producing results.

One question in the chicken and egg debate is whether ‘results’ means arresting suspects or reducing spam levels.

If it’s the former, Ferguson says Microsoft has failed, but if it’s the latter Microsoft’s Digital Crimes Unit boss Richard Boscovich reckons it is winning.

While Microsoft partially disabled the botnet, as it had with Rustock, Kelihos and Waladec, Ferguson argued it left the criminals behind the operation free to re-establish elsewhere.

He noted that Microsoft’s strategy had led to zero arrests, in contrast the six years of work Trend Micro prior to the FBI announcing six arrests under its <i>Operation Ghostclick</i> assault on the Esthost botnet.

Ferguson was furious that Microsoft used information he felt was clearly gained from security industry working groups, only to launch civil action. Instead, Microsoft should have been more patient and quietly gathered enough evidence to pursue criminal charges against the accused, he said.

Microsoft’s head of its Digital Crimes Unit Richard Boscovich has given a detailed response to Fox-IT’s claims to security writer, Brian Krebs.

Boscovich appears to defer blame for the data it uses in its legal submissions on the security partners it works with since Microsoft assumes “that the information they (the partners) provided is their own, or is freely available amongst them for the purpose of securing the internet.”

Boscovich said Microsoft's “civil” legal strategy is not designed to produce arrests, but rather to destabilise the network.

“Instead of trying to get the guys behind this, we said why don’t we just strike them where’s going to hurt them most?”

He added that any claim that civil action will destroy ongoing criminal investigations was a “fallacy, and near sighted”, naive and based on “not understanding how criminal investigations operate”.

Boscovich claims it has achieved success by reducing spam levels, but Ferguson points out that Microsoft’s civil strategy so far has led to zero arrests.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about etworkFBIMicrosoftTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts