Microsoft Builds Legal Weapon to Take Apart Botnets

The take-down of the Rustock botnet in March gave Microsoft another head for its mantle: two in just the last year. That’s an impressive take for any private firm, and one of a string of actions against bot networks in recent years.  But security experts say that the company’s success in building a legal basis for moving against botnets is an even bigger achievement.

Rob Lemos

The take-down of the Rustock botnet in March gave Microsoft another head for its mantle: two in just the last year. That’s an impressive take for any private firm, and one of a string of actions against bot networks in recent years.  But security experts say that the company’s success in building a legal basis for moving against botnets is an even bigger achievement.

Microsoft partnered with anti-botnet firm FireEye, the University of Washington and
the U.S. Marshal Service, with the cooperation of the Dutch authorities, China’s CN CERT and the pharmaceutical firm Pfizer to successfully shut down the million-node
Rustock botnet in March. The action caps a years long initiative by the Redmond, Washington software giant to create a legal foundation for companies to act against bot masters.

Microsoft’s action againt Rustock involved nearly simultaneous raids on data centers in Chicago, Columbus, Dallas, Denver, Kansas City, Scranton, Seattle and the Netherlands. The takedown followed a similar process spearheaded by Microsoft to take down the 60,000-node Waledac botnet a year ago.

“The real interesting aspect of both of the cases is going in without notice to seize these things before they are moved, ” says Richard Boscovich, senior attorney with Microsoft’s Digital Crimes Unit.

Three years ago, the DCU started looking for novel ways of addressing the online threat to Microsoft’s users. One problem: Companies had little legal recourse to pursue bot masters if they could not get the FBI or other law enforcement agency to open a criminal investigation. So Microsoft created a project and dubbed it the Microsoft Active Response for Security, or MARS, to establish a new strategy for going after the criminals that act with relative impunity on the Internet.

The goal of the initiative was to answer three questions. First, did the technical means exist for companies to conduct investigations and takedowns? Second, could the current civil legal framework be used to take down, or at least significantly hinder, bot net operations? And finally, could industry and academic experts partner to address the threat to the Internet?

Following the latest takedown, the answer to all three questions appears to be ‘yes.’ For example, in taking down Rustock, Microsoft cooperated with security firm FireEye to identify the command-and-control mechanisms of the botnet.

In the Waledac case, Microsoft used a civil argument to get a court to grant an ex parte temporary restraining order (TRO), which allowed the company to force Verisign, the administrator of the .com domain registry, to seize 277 domains used by Waledac for its command-and-control operations without notifying the owner. Such orders are extremely rare and considered to be an extraordinary remedy.

However, the unique circumstances of botnets require them, says Boscovich. Providing notification before the raid and seizure would “defeat the whole purpose, because the bot herders would move all the computers and we would have to start from square one,” he said.

“Waledac was the proof of concept,” says Boscovich. “It showed that we could take down a pretty complicated peer-to-peer bot. From my perspective, being a lawyer, it’s exciting that we were able to use statutes that are already on the books.”

Microsoft had to document for the court the ongoing harm caused by the botnet, and that the harm would continue, if the botnet was allowed to continue to operate. The current mechanisms under ICANN to provide notice has not kept up with the current malware, he says. If you follow the process, there is a lot of back and forth and the registrar has to contact the domain holder. 

”The first notice that a botherder gets that someone is looking at their domains, then they will move the command-and-control servers and the process has to start all over again,” Microsoft’s Boscovich says.


SEE ALSO Slideshow: The Top Botnet Takedowns


Using the law to shut down the Waledac botnet would have been impossible a decade ago, says Alex Lanstein, a senior engineer with FireEye. When the company went after the Mega-D botnet, the ability to take down the command-and-control servers came from establishing relationships with the registrars, not through any legal action.

“Dot-com has been around for so long and the rules for the Internet in the early days were so bad, that (domain registries) were not positive that they had the legal authority to do this,” says Lanstein. “But now there is a legal mechanism that shows that they do.”

Before the Microsoft actions, the only time a temporary restraining order had been used to seize bot masters assets was the take down of the Triple Fiber Network (3FN) initiated by the Federal Trade Commission, during a civil investigation of the hosting providers’ collusion with bot herders.

Companies in other countries are typically worse off than those in the United States, where cybercrime laws are more mature. For example, the takedown of the 13-million-node Mariposa botnet by a group of companies and law enforcement officials did not lead to jail time for the Spanish operators of the botnet because Spain did not have cybercrime laws on the books to make it illegal to operate a botnet. In fact, even after the Mariposa Working Group did the forensics work to identify the pair of operators that lived in Spain, they still could not be prosecuted.

“We had tones of evidence that we thought would land these guys in jail,” says Pedro Bustamante, senior research advisor at antivirus firm Panda, which was part of the working group. “But the only reason they got arrested is not because they were running a 13-million-node botnet and not because they stole millions of credentials. The only reason they got arrested is because the launched a denial of service attack against a Canadian ISP.” The pair were released on bail and no charges have been brought.

Not all is lost, however. A few months later, Spain ratified the Council of Europe Conventions on Cybercrime treaty, which means that the operation of botnets is now illegal, Bustamante says.

Taking on botherders is an expensive proposition. FireEye’s Lanstein says he met a half dozen lawyers at Microsoft who were working on the Rustock case – making the option too rich for most companies.

However, larger firms who want to thin the ranks of cybercriminals, or at least cause them real pain, can follow the path forged by Microsoft and other companies to make botnets a less-than-easy crime. Pursuing an arrest is a difficult road, but not impossible: while there have not been any arrests in the Rustock takedown, Microsoft has a third-party firm performing forensics on the hard drives. The data could produce more leads and possibly arrests, says Lanstein. “Putting someone in handcuffs is the endgame,” he says. “It’s something that you have to work towards.”

Suggested articles