REDMOND, Wash.–Cybercrime has developed in the last few years into a major concern, not just for the consumers and businesses that are victims, but also for governments around the world. Obama administration officials have called it one of the larger threats to the United States economy. While law enforcement agencies handle the investigative and prosecutorial piece of things, they are increasingly being aided by experts at companies such as Microsoft, Google and others that have unique insights into attackers’ activities and the capability to make life more difficult for them.

Microsoft, for one, has taken a very aggressive stance on cybercrime in recent years. By virtue of its massive user base, the company has a lot of visibility into the ways that attackers are exploiting not just Microsoft products, but also other applications installed on target machines. As one would imagine, Microsoft officials take a dim view of attackers going after their customers, and the company has been using a variety of methods for preventing cybercrime and punishing those involved in it. The most visible piece of this arsenal is the Microsoft Digital Crimes Unit, a small group of engineers, security experts and lawyers here who spend their days tracking botnet operators, malware writers and helping law enforcement agencies around the world identify and find them.

It may seem odd that a software vendor, even one as large and influential as Microsoft, would fund such a team, but company officials say it’s an important part of keeping customers safe. If cybercrime can’t be prevented, the DCU members want to be sure that it is less attractive and less profitable for the attackers who choose to get involved.

“The bad guys are getting better at what they do, and we want to be a force-multiplier for good. Our job is not law enforcement. Our goal is to transform this fight to really disrupt and destroy the way cybercriminals operate,” said T.J. Campana, director of security at the DCU.

The biggest target thus far for the DCU team has been the botnet problem. Botnets are used for a variety of nasty purposes, especially spam, DDoS attacks and data theft. Microsoft and other vendors have been tackling the problem from various angles for years now, but the tool that they’ve found to be the most effective involves a combination of legal and technical means of crippling a botnet. The company, along with law enforcement agencies and other vendors, have succeeded in taking down several botnets in the last few years, including Kelihos, Zeus, Waledac and Rustock. In many of these cases, along with sinkholing the target botnet’s command-and-control servers, the Microsoft DCU team has used court orders to physically seize servers. This tactic has been somewhat controversial, but Campana said the nature of the threats has made it necessary.

“Botnets are the backbone of the modern cybercrimnal,” he said. “We’re severing the connection between the harmed customer and the bad guys. We’ve had court orders to go in and rip the servers out of the data centers. It doesn’t get any cooler than that. But it’s an extraordinarily high burden of proof to be able to do that.”

Disrupting botnets can be a frustrating business, as Microsoft has found out, as attackers often will react to a takedown by simply moving to a new infrastructure, finding pliable hosting providers and getting back to business. That’s always going to be a possibility, especially when attackers are able to buy bot toolkits cheaply and quickly build up a new network of compromised machines.

“The cost of entry into cybercrime is very low and the profits are high. We want to increase the cost of the bad guys getting into the cybercrime business,” he said. “And if they do get in, we want to decrease their ability to make money. We want to demotivate this kind of activity.”

But Campana said the takedowns are only one piece of the larger picture. The company is in the process now of building a new cybercrime center at its headquarters here, and DCU officials hope to make it a nerve center for anti-cybercrime operations across the industry. As part of an effort to help speed up the pace at which it is able to respond to new emerging attacks on its customers, Microsoft DCU also is working on a new Cyber Threat Intelligence service which Campana said could serve as a two-way communication channel to help get information and remediation tools out to cybercrime victims much more quickly.

“I want to get to a place where the bad guy launches a new attack, and within a couple of minutes we can respond and get a message to victims,” he said. “I want that identification, notification and remediation happening as quickly as possible.”

Campana’s team also is working with a number of outside companies and groups to help make it more difficult for attackers to get access to the tools they need for their operations. One way they’re doing this is by working with hosting providers, which are key cogs in many cybercrime machines, especially botnets. Attackers often use so-called bulletproof hosting providers to house their C2 servers for botnets, malware distribution and phishing campaigns. But they also will take advantage of legitimate hosting providers who aren’t aware of what’s going on. Campana said his team is working with many hosting companies to fix this. They’re also talking with domain registrars to prevent attackers from being able to register dozens or hundreds of domains quickly for use in fast-flux botnets.

“A lot of the domains they register are just randomly generated numbers and letters. We’re talking with the hosting providers and registrars to say, let’s just not let these kind of domains be registered ever,” he said.

While the DCU has seen plenty of success so far, Campana said there’s no shortage of challenges looming for his team and others interested in disrupting cybercrime.

“The bad guys are moving at such a fast pace and they’re changing their tactics on the fly,” he said. “They don’t play by the rules. They don’t have any rules, and we have to find a way to make it harder for them.”

Categories: Malware, Microsoft

Comment (1)

  1. Jan
    1

    If Microsoft is so into sorting out DDOS problems, why don’t they fix the default behaviour of their (expletive) DNS server? It’s not just recursive: it always answers, and has no provision for rate limits.

Comments are closed.