Researchers slam Microsoft for botnet takedown tactics
- — 17 April, 2012 13:50
Dutch security outfit Fox-IT has slammed Microsoft for publicly releasing “restricted data” to support its “legal-technical” takedown of the Zeus botnet last month.
In a lengthy complaint, Fox-IT claims Microsoft’s civil action and seizure of command infrastructure was a publicity stunt that jeopardised “countless” public and privacy sector investigations. The company claims it was a “major blow”.
On the day Microsoft announced its Zeus, SpyEye and ICE IX takedown and server seizure, it also published extensive details about the suspects behind the botnet.
Fox-IT is miffed that portions of Microsoft’s John Doe accounts, detailing the alleged operators behind the botnet, came directly from its own work which was meant to be limited to a group of researchers.
“This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data,” a Fox-IT spokesperson said on the company blog last week.
In addition, Fox-IT claims the “sinkhole” Microsoft established using servers it seized was not just collecting IP addresses as Microsoft claimed, but also personally identifiable information -- usernames, email addresses, passwords -- of Zeus victims.
The company joins others, such as UK-based Trend Micro security researcher Rik Ferguson, in publicly lashing out at Microsoft for inappropriately using data and pursuing a ‘civil’ court strategy that may not be producing results.
One question in the chicken and egg debate is whether ‘results’ means arresting suspects or reducing spam levels.
If it’s the former, Ferguson says Microsoft has failed, but if it’s the latter Microsoft’s Digital Crimes Unit boss Richard Boscovich reckons it is winning.
While Microsoft partially disabled the botnet, as it had with Rustock, Kelihos and Waladec, Ferguson argued it left the criminals behind the operation free to re-establish elsewhere.
He noted that Microsoft’s strategy had led to zero arrests, in contrast the six years of work Trend Micro prior to the FBI announcing six arrests under its Operation Ghostclick assault on the Esthost botnet.
Ferguson was furious that Microsoft used information he felt was clearly gained from security industry working groups, only to launch civil action. Instead, Microsoft should have been more patient and quietly gathered enough evidence to pursue criminal charges against the accused, he said.
Microsoft’s head of its Digital Crimes Unit Richard Boscovich has given a detailed response to Fox-IT’s claims to security writer, Brian Krebs.
Boscovich appears to defer blame for the data it uses in its legal submissions on the security partners it works with since Microsoft assumes “that the information they (the partners) provided is their own, or is freely available amongst them for the purpose of securing the internet.”
Boscovich said Microsoft's “civil” legal strategy is not designed to produce arrests, but rather to destabilise the network.
“Instead of trying to get the guys behind this, we said why don’t we just strike them where’s going to hurt them most?”
He added that any claim that civil action will destroy ongoing criminal investigations was a “fallacy, and near sighted”, naive and based on “not understanding how criminal investigations operate”.
Boscovich claims it has achieved success by reducing spam levels, but Ferguson points out that Microsoft’s civil strategy so far has led to zero arrests.