Microsoft evolves disruption anti-cyber crime tactic

Microsoft, like other major software suppliers, is increasingly using disruption as a key tactic to fight cyber crime

Microsoft, like other major software suppliers, is increasingly using disruption as a key tactic to fight cyber crime, adapting this approach as cyber criminals change their business models.

Botnets of hijacked computers form the backbone of cyber criminal operations, so it follows that taking down these networks is an important part of the work by Microsoft’s digital crimes unit (DCU).

So far, the DCU in collaboration with cross-industry partners, has taken down six major botnets, effectively disabling key cyber criminal infrastructure.

The initial takedowns of the Waledac, Rustock, Kelihos, Zeus botnets used legal action to enable the seizure of servers being used as command and control centres.

However, the takedown of the Nitol botnet required a slightly different approach in September 2012 because not all domains hosted by were malicious, said TJ Campana, director of security at DCU.

“Only 70,000 of a total 3.8 million sub-domains were being used by the cyber criminals to host 575 strains of malware, so we could not justify taking down the whole domain,” he told Computer Weekly. 

With an ex parte restraining order against and in partnership with DNS solutions and security company Nominum, Microsoft moved the domain to its own domain name system (DNS).

This meant Microsoft could use a DNS sinkhole to block the operation of the Nitol botnet and the other malicious sub-domains without affecting the legitimate domains hosted by, said Campana.

“We were able to act as a DNS filter,” he said.

Microsoft discovered the Nitol botnet after discovering retailers were selling computers loaded with counterfeit versions of Windows software embedded with the Nitol and other malware.

“This case highlights the need to have a trusted supply chain to ensure they cannot be infiltrated by cyber criminals,” said Camapana.

The DCU investigation showed that the malware was being pre-installed on computers after they had left the factory but before they were delivered to the consumer.

By shutting down the Nitol botnet and bringing the threat to the attention of computer and policy makers, Microsoft hoped to reduce the opportunities for cyber criminals to infiltrate the supply chain.

The DCU is aimed at disrupting cyber crime through cross-industry partnerships using technical and legal breakthroughs that increase operating costs and destroy supporting infrastructure. 

This unit has been involved in taking down several key botnets that form the backbone of modern cyber criminal activities, including Waledac, Rustock, Kelihos, Zeus, Nitol, and Bamital.

The DCU also liaises with all the Microsoft security teams to pass on cyber threat intelligence to targeted organisations through computer emergency response teams and internet service providers.

Like Nitol, the Bamital search results hijacking botnet also required Microsoft to evolve its approach to taking down botnet to become more proactive in its most recent takedown in February.

In collaboration with Symantec, Microsoft directed victims to a web page to inform them their computers had been infected by Bamital and to offer an easy method to remove the infection.

Investigators found that in the past two years, more than eight million computers have been attacked by Bamital, but because of the nature of the attack, most victims were unaware they had been targeted.

Investigators also found that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google.

The Bamital botnet defrauded the entire online advertising platform that allows the internet and many online services to be free by redirecting victims to other sites to carry out click fraud.

In this case, advertisers were being charged for clicks on their ads that victims never intended to make.

This redirection was also exposing victims to malware designed to steal personal information.

In taking down Bamital, Microsoft and Symantec once again used a combination of legal and technical action, adding the proactive step of informing victims for the first time.

On 31 January 2103, Microsoft filed a lawsuit, supported by a declaration from Symantec against the botnet’s operators, to sever all the communication lines between the botnet and the hijacked computers.

The court granted Microsoft’s request, and on 6 February investigators seized valuable data and evidence from web-hosting facilities in Virginia and New Jersey. 

In all botnet operations, the DCU liaises with Microsoft security teams to pass on cyber threat intelligence to targeted organisations through computer emergency response teams and internet service providers.

The data gathered from these takedowns becomes part of Microsoft’s ongoing research in support of protecting its customers.

In this way, Microsoft can use the criminals’ infrastructure against them and make it harder and more expensive for them to commit cyber crime.

Image: Thinkstock

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.