New York City – Microsoft has proven that it can take down huge, global botnets like Kelihos, Rustock and Waldec. Now the company is ready to start making the data it acquires in those busts available to governments, law enforcement and customers as a real time threat intelligence feed.
Representatives from the Redmond, Washington software maker told an audience at the International Conference on Cyber Security (ICCS) here that it was testing a new service to distribute threat data from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.
“We collect a tremendous amount of data from our global assets,” said T.J. Campana, a Senior Program Manager in Microsoft Digital Crimes Unit (DCU). Now the company is now working on a way to get slices of that information to its partners, including ISPs, CERTs, government agencies and private companies, based on their need, he said.
Microsoft is beta testing the system internally in recent months. Campana described it as a 70-node cluster running the Apache Hadoop framework on top of Windows Server. It currently stores data culled from the Kelihos botnet in September, 2011 and other sources.
The data includes IP addresses of Kelihos infected systems complemented by other data such as the AS (autonomous system) number and reputation data provided by Microsoft’s Smart Data Network Services (SNDS). Personally identifiable informaiton (PII) would not be part of the threat feed, Campana said.
Microsoft collects the data by leveraging its huge Internet infrastructure, including a load-balanced, 80gb/second global network, to swallow botnets whole – pointing botnet infected hosts to addresses that Microsoft controls, capturing their activity and effectively taking them offline.
Microsoft has long been collecting data from its botnet takedowns, including the Waldec (March 2010) and Rustock (March, 2011) botnets, said Richard Domingues Boscovich, a senior attorney in the Microsoft DCU. “We’ve been doing this for three years, but its been a manual process, working with partners like CERT,” he said. Those partners requested a way to access the captured botnet data more quickly – ideally in real time. Now Microsoft thinks its close to providing that.
When fully deployed, Microsoft anticipates being able to offer three realtime feeds, which third parties could access using APIs (application program interfaces) provided, for free, by the company.
Companies could use the data to look for opportunistic malware infections that often accompany botnet infections, or correlate data on botnet hosts with data on click fraud and other scams, Campana told the crowd.
Partner organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own. Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure.
National or regional CERTs might be interested in threats that were pertinent to their area. Microsoft also hopes that its service will extend the capabilities of smaller organizations and governments to battle large, powerful global botnets – lowering the cost of monitoring and responding to botnet infections.
The company wouldn’t give a timeline for deploying its new real time threat feed, but said that it would consider opening the new feeds to the public after it was satisfied with the outcome of an internal beta test.
The ICCS Conference at Fordham University in New York City is in its third year and is jointly sponsored by Fordham and the FBI. It brings together local, state and federal law enforcement from around the globe to discuss issues related to cyber criminal investigations and protections.