Microsoft, like other major software suppliers, is increasingly using disruption as a key tactic to fight cyber crime, adapting this approach as cyber criminals change their business models.
So far, the DCU in collaboration with cross-industry partners, has taken down six major botnets, effectively disabling key cyber criminal infrastructure.
However, the takedown of the Nitol botnet required a slightly different approach in September 2012 because not all domains hosted by 3322.org were malicious, said TJ Campana, director of security at DCU.
“Only 70,000 of a total 3.8 million sub-domains were being used by the cyber criminals to host 575 strains of malware, so we could not justify taking down the whole domain,” he told Computer Weekly.
This meant Microsoft could use a DNS sinkhole to block the operation of the Nitol botnet and the other malicious sub-domains without affecting the legitimate domains hosted by 3322.org, said Campana.
“We were able to act as a DNS filter,” he said.
Microsoft discovered the Nitol botnet after discovering retailers were selling computers loaded with counterfeit versions of Windows software embedded with the Nitol and other malware.
“This case highlights the need to have a trusted supply chain to ensure they cannot be infiltrated by cyber criminals,” said Camapana.
Read more about botnets
- Botnet takedowns: A dramatic defense
- Huge botnet infecting smartphones in China
- Authorities arrest 10 suspected botnet data thieves
- Click fraud botnet costs advertisers £3.9m a month
- Over half of botnet control centres in the US, says Check Point
- Google Android smartphones hijacked by spam botnet
- Microsoft uses disruption strategy to tackle botnets
The DCU investigation showed that the malware was being pre-installed on computers after they had left the factory but before they were delivered to the consumer.
By shutting down the Nitol botnet and bringing the threat to the attention of computer and policy makers, Microsoft hoped to reduce the opportunities for cyber criminals to infiltrate the supply chain.
The DCU is aimed at disrupting cyber crime through cross-industry partnerships using technical and legal breakthroughs that increase operating costs and destroy supporting infrastructure.
The DCU also liaises with all the Microsoft security teams to pass on cyber threat intelligence to targeted organisations through computer emergency response teams and internet service providers.
Like Nitol, the Bamital search results hijacking botnet also required Microsoft to evolve its approach to taking down botnet to become more proactive in its most recent takedown in February.
In collaboration with Symantec, Microsoft directed victims to a web page to inform them their computers had been infected by Bamital and to offer an easy method to remove the infection.
Investigators found that in the past two years, more than eight million computers have been attacked by Bamital, but because of the nature of the attack, most victims were unaware they had been targeted.
Investigators also found that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google.
The Bamital botnet defrauded the entire online advertising platform that allows the internet and many online services to be free by redirecting victims to other sites to carry out click fraud.
In this case, advertisers were being charged for clicks on their ads that victims never intended to make.
This redirection was also exposing victims to malware designed to steal personal information.
In taking down Bamital, Microsoft and Symantec once again used a combination of legal and technical action, adding the proactive step of informing victims for the first time.
On 31 January 2103, Microsoft filed a lawsuit, supported by a declaration from Symantec against the botnet’s operators, to sever all the communication lines between the botnet and the hijacked computers.
The court granted Microsoft’s request, and on 6 February investigators seized valuable data and evidence from web-hosting facilities in Virginia and New Jersey.
In all botnet operations, the DCU liaises with Microsoft security teams to pass on cyber threat intelligence to targeted organisations through computer emergency response teams and internet service providers.
The data gathered from these takedowns becomes part of Microsoft’s ongoing research in support of protecting its customers.
In this way, Microsoft can use the criminals’ infrastructure against them and make it harder and more expensive for them to commit cyber crime.