In March, Microsoft made more headlines when it took down yet another botnet. This time it was a highly publicized takedown of a ZeuS and SpyEye banking Trojan botnets, brought about by pulling the plug on two command and control servers, one in Scranton, Pennsylvania, the other in Lombard, Illinois. Dubbed Operation b71 and accompanied by some informative and entertaining video, it was yet another example of Microsoft’s commitment to leading the war on spam, bots and malware, one for which they’ve taken some positive press over the past couple of years – and well-deserved press, some would say. For those of us who eat, breathe and dream security, we all nodded in approval and returned to our daily routines of fighting the spam war on different fronts, assured in the knowledge that the Redmond Mega Corporation has our backs, as it were.
So why are some people who share the common vision of a spam-free, bot-free world more than a little irked by Microsoft’s actions?
At CircleID, Wout de Natris, an international cybercrime consultant and trainer of spam enforcement, wrote a telling article about the back story behind Microsoft’s latest foray into cybercrime enforcement. Depending on how one reads what’s happened, one might wonder whether Microsoft is nothing more than a headline-grabbing maverick, jumping the gun at the expense of other efforts intending to battle cyber jerks; or whether the software giant is merely acting as the new sheriff in town, ready to pump cyber lead into any offenders who try to disrupt the computer operations of law-abiding citizens. One might even be compelled to ponder why in the heck these organizations, seemingly sharing in the common goal of stamping out the spambags, are fighting amongst themselves.
According to The Register, “The takedown came after Microsoft filed suit against 39 unnamed parties on Monday (16 March) asking for permission to sever the command-and-control structures of these ZeuS botnets. The action follows the same tactics as previous successful takedowns of Waledac, Rustock and Kelihos spam-distribution botnet networks.” Microsoft detailed its actions, which came after months of investigation into the illegal activities of said botnets. End of story, right?
Not so fast, says Michael Sandee, Principal Security Expert at the Dutch security firm Fox IT, who has a lot to say on the matter. In a lengthy blog post published April 12th, Sandee makes no bones about his displeasure at Microsoft and its actions. He describes the entire operation as “very twisted and [something which] will leave you with an uneasy feeling.” He goes on to describe the events in which “Microsoft has endangered the success of countless ongoing investigations in both the private as the public sector all over the world from east to west.” Furthermore, “Microsoft’s declaration contained statements which were incorrect and even contain misleading information regarding the invasion of privacy regarding the victims of ZeuS botnets, as their personal information may end up in the hands of Microsoft.”
In summarizing the whole thing, Sandee pulls no punches when underscoring his scathing diatribe. “This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with. It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”
All this has led to accusations directed squarely at Microsoft about their actions and the repercussions of compromising what appears to be many ongoing investigations. In one example, a security researcher who works at mapping criminal networks against botnets has been compromised in the sense that [Note: Google translation from Dutch to English] “one of his identities is now public, because Microsoft Access in a subpoena access to all his e-mails demanding.” In fact, some critics are pointing out that Microsoft’s actions of taking down the two servers has had little effect and that the ZeuS botnet is alive and well and hurling thunderbolts from Olympus even as you read this article.
Ultimately, people may want to question Microsoft’s motives in what seems to be a botched operation. de Natris offers some valuable insights, however. “What seems clear to me is that a company like Microsoft has tremendous resources that outdo most national police organisations. These investigative resources should not be lost due to a, it seems like, badly coordinated, but unintentional, action. If the clamour shows something, it is that both sides need to be more open to each other and learn to use respective strengths and avoid weaknesses.”
Here endeth the lesson.