Microsoft plans to expand its botnet disruption strategy beyond the US through public-private partnerships (PPPs) in Europe and other regions of the world.
Botnets are networks of computers that are infected with malware to enable cyber criminals to hijack them and control them remotely through command and control servers to carry out criminal activities.
“Fewer and fewer botnet command and control operations are located in the US,” said Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit (DCU).
“As cybercriminals diversify their infrastructure, we have to get more strategic with our partnerships in other regions of the world with public, private, academic and legal organisations,” he said.
Microsoft has pioneered a strategy for using long-standing civil laws in the US in innovative ways to take rapid action to protect computer users against cyber criminals hijacking their machines to form botnets.
The company’s lawyers, for example, looked to property rights to find ways to establish legal standing for protecting intellectual property.
The company has teams of lawyers around the world that are looking at local laws to see what response options are available for taking disruptive actions against criminal botnet infrastructure.
“I believe that the legal action we have taken on the civil side in the US can be replicated in any common law country,” said Boscovich.
“In some juridictions it may be even easier than the US because there may be fewer constitutional restrictions on private companies working with law enforcement agencies,” he said.
However, Boscovich said in all jurisdictions there will need to be legal standing, which is why few private businesses can do what Microsoft can do.
“Microsoft is able to tackle a greater number of cases because it can demonstrate legal standing wherever criminal activity affects its Windows operating system,” he said.
Read more about botnets
- Botnet takedowns: A dramatic defense
- Huge botnet infecting smartphones in China
- Authorities arrest 10 suspected botnet data thieves
- Click fraud botnet costs advertisers £3.9m a month
- Over half of botnet control centres in the US, says Check Point
- Google Android smartphones hijacked by spam botnet
- Microsoft uses disruption strategy to tackle botnets
Microsoft applied for court permission to block incoming and outgoing communications between computers in the US and 18 internet protocol (IP) addresses linked to the ZeroAccess botnet.
Europol, working with Latvia, Luxembourg, Switzerland, the Netherlands and Germany, executed search warrants and seizure orders on various computers related to the 18 IP addresses.
Indications are that this joint operation, which followed the signing of a memorandum of understanding between Microsoft and Europol, is to be the first of several planned anti-cybercrime actions in Europe.
Such operations are likely to involve Microsoft identifying botnet malware and its victims, with regional partners taking action to disrupt criminal infrastructure and help victims clean up malware infections.
“With the expansion of the DCU to over 100 people across the world, we are seeing the ability to think at a greater scale in the regions,” said Bryan Hurd, the DCU’s director of advanced analytics.
“We would love to see more responses on a regional level from other parts of the world such as Europe or Asia,” he told Computer Weekly at the Microsoft Cybercrime Center, the DCU’s world headquarters in Redmond, Washington.
“We have just returned from the Microsoft Digital Crimes Consortium 2014 in Singapore, which brought together 300 of the world’s leading cybercrime fighters with Interpol and others to talk about these very issues,” said Hurd.
The next evolution of regional anti-cybercrime action will be aimed at enabling greater capabilities for more teams and will involve a shift in focus from global to geographically-based malware.
“Through the growing number of PPPs, more law enforcement agencies will be able to follow up on fighting things like mass identity theft that organised crime groups are inflicting,” he said.
As more regions carry out concerted actions, Hurd said the hope is that it will become increasingly difficult for cyber criminals to carry out their activities.
Boscovich said the DCU is going to be focusing increasingly on malware that is targeted at specific geographic regions.
“You will be hearing from us in the coming months as to how we are going to be dealing with these legally and technically from an overseas perspective,” he said.
The specific actions will depend on the particular jurisdiction and the unique options that present themselves through analysis and research.