RSA 2014: Microsoft and partners defend botnet disruption

Microsoft and its partners have defended disrupting criminal botnets at RSA Conference 2014

Microsoft, security firm Agari and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have defended their actions to disrupt criminal botnets at RSA Conference 2014 in San Francisco.

The three organisations worked with the FBI in June 2013 to disrupt the Citadel botnet that was being used to steal online banking credentials and personal identities.

This approach to security is controversial, with opponents arguing that collateral damage is too high and researchers complaining that such actions limit their opportunity to learn more from botnets in action.

“Our goal is always to protect the ecosystem and people whose computers have become infected with botnet malware,” said Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit.

“We measure the effectiveness of this campaign by the fact that financial partners reported between 86% and 98% reduction in fraud after our action against the Citadel botnet,” he said.

Microsoft also observed a drop in activity by other botnet operators in the wake of the Citadel operation.

“This demonstrates that disruption works in a similar way to the traditional model of law enforcement where action against some criminals deters others,” said Boscovich.

Dismissing criticism that such operations are tantamount to playing Whack-A-Mole, he said: “At the very minimum, the disruptive approach eliminates the less sophisticated cyber criminals, reducing the noise, which enables us to concentrate on the bigger threats.”

The FS-ISAC joined the operation because it wanted to take action as an association after hundreds of its members had reported total losses of around $477m, said Errol Weiss, board member of FS-ISAC.

The cyber criminals behind Citadel were tricking victims into downloading the malware by sending fake emails that appeared to come from legitimate financial institutions, but contained malicious links.

Once installed, the malware began recording a victim's keystrokes using a tactic known as keylogging to enable cyber criminals to gain direct access to a victim's bank account.

The malware avoided detection and removal by blocking victims' access to legitimate anti-virus/anti-malware sites.

“This meant infected computers were not able to clean themselves up,” said Weiss. Boscovich said the clear purpose of the anti-Citadel operation was to stop the harm being caused and notify victims.

The source of the attacks was difficult to ascertain as the attackers were changing servers and websites on a regular basis, with 150,000 new ones appearing each day.

But using Agari’s email-monitoring technology, Microsoft was able follow the attacks in real-time and link thousands of malicious emails back to Citadel’s comand and control centres.

“Courts are reluctant to take action unless we can demonstrate how criminals are working, how the harm happens, where the harm is being done and who is being harmed,” said Boscovich.

Agari found that while the cyber criminals initially used emails purporting to come from banks, they moved on to using other well-known brands to trick victims into downloading the Citadel malware.

Boscovich said for this reason, brand owners should use the Dmarc standard to enable recipients to reject spoofed emails automatically.

According to Dmarc, more than 25 million email messages spoofing PayPal were rejected during the 2013 holiday buying season. Citadel was the seventh of eight major botnet takedowns by Microsoft's DCU to date in collaboration with partners for its strategy to disable key cyber criminal infrastructure.

Microsoft filed a civil suit against the operators of the Citadel botnets for court authorisation to cut off communication between 1,486 botnets and the 1.9 million hijacked computers.

The suit, which invoked the civil section of the US Racketeer Influenced and Corrupt Organisations (RICO) Act, was supported by a 5,000-page document detailing the harm done by Citadel to Microsoft, financial institutions and victims targeted by the malware.

On 5 June, Microsoft, escorted by US marshals, seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania.

Responding to questions about collateral damage, Boscovich said the law required Microsoft to post a bond that would have been used to compensate anyone affected by mistake.

Financial services organisations are working together to tackle cyber crime and share information

Patrick Peterson, Agari

“These operations are backed up by a lot of research beforehand, but if anyone is affected unintentionally, we help them retrieve any data they have lost,” he said.

Boscovich underlined the importance of partnerships in tackling cyber crime generally and botnets in particular.

He said Microsoft’s large install base put it in a unique legal position because it can more easily demonstrate that it has legal standing or “skin in the game” largely due to the Windows operating system.

“But despite Microsoft’s footprint, we cannot do it alone. We need partners with specialised skills such as Agari, and we are keen to work with as many partners and industry sectors as possible,” he said.

Patrick Peterson, founder and CEO of Agari, said all industries are seeing cyber criminal activities, but not many outside the banking and financial sector are very proactive.

“Financial services organisations are working together to tackle cyber crime and share information, but we are not seeing much collaboration in sectors like media, retail and healthcare despite the need,” he said.

Responding to allegations that operations such as the one against the Citadel botnet are “PR stunts”, Boscovich said media coverage was an important educational component.

“Not everyone reads specialised cyber crime publications like Dark Reading, so it is important to get this stuff into mainstream media to raise awareness among members of the public,” he said.

Read more on Hackers and cybercrime prevention