Home / Blogs

Public Private Cooperation: The Zeus Take Down Example

Wout de Natris

Microsoft took down a Zeus botnet recently. Within days it was publicly accosted by Fox-IT's director Ronald Prins for obstructing ongoing investigations and having used Fox-IT's data. This was followed by the accusation that Microsoft obstructs criminal proceedings by divulging online aliases of digital, undercover investigators after a served court order into these e-mail addresses and sharing them online.

On top of all this EU Commissioner Cecilia Malmström announced that cooperation between law enforcement and industry will be forged in the European Cyber Crime Centre as of 2013. Coincidences do not exist. Why?


When I heard about McColo first, the international spam fighting community of the London Action Plan met at eco in Wiesbaden, Germany. It was not during a presentation at the workshop, mind, no, it sort of syphoned through. Not one of the spam fighters present knew anything about it. This amazed me and also made me feel a little ashamed. How was this possible? Pretty soon the botnet was back online and serving the world its daily ration of spam.

Botnets are vulnerable

What McColo did show the world that its possible to stop bots from spewing spam and malware, as with all things it's possible to go for the root and take it down. Even if the owner(s) are sort of invincible for now.

Several bots were taken down since. Some by Microsoft, some by coordinated police actions. And now both sides are fighting it out in the press, fighting each other instead of focussing on the common enemy: the bots/botherders. But hey, there's a lesson here and stop overlooking it: both are successful!

Lessons from OPTA

In my years at OPTA, the Independent Post and Telecommunication Authority, as spam fighter, I specialised in human relations. Why? We soon found out that visiting a company that is somehow involved in sending spam, could also be the subject of other investigations. So we always checked with colleague organisations. At first they didn't really know who we were, but after a while it became standard practice. Even better, it led to a regular informal meeting on cyber crime of most Dutch organisations involved with online enforcement, which I had the honour to chair for several years. At present, I've been told, relations are even much more formal, copying the ISAC model of information sharing. The best lesson learned here, was that openness comes from both sides, not just one. Let's keep this thought in mind.

Lessons from Microsoft and Fox-IT

What seems clear to me is that a company like Microsoft has tremendous resources that outdo most national police organisations'. These investigative resources should not be lost due to a, it seems like, badly coordinated, but unintentional, action. If the clamour shows something, it is that both sides need to be more open to each other and learn to use respective strengths and avoid weaknesses.

It is not without a good reason that in some countries it is possible to go for private actions in court against spammers and worse. This needs investigation, evidence and resources. Microsoft uses this possibility to go after the biggest spammers.

Unfortunately, uncoordinated a civil (class)action can intrude on or even disrupt criminal or administrative investigations of months or even years of preparation. Leading to the loss of evidence, the warning of criminals and even news reports like the ones at the base of this article. Reports damaging reputations at all sides, whether just or not. While both go for the same target. This solution seems sub-optimal to me. But where can the two meet in a trusted space?

The EU Cyber Crime Centre: trust and coordination

If the European Cyber Crime Centre is to act strongly where cooperation is concerned, it is to make sure that actions and investigations are well coordinated. It has to start with building an environment of trust. Also with industry.

If public and private organisations learn to trust each other and from there to coordinate, they can actually choose which way forward would be the most effective. This means that the EU Centre not only has to coordinate with industry, but that it becomes the centre stage of coordination for all investigations on the Internet. Not only for police, but also spam, malware, privacy and fraud investigations. The question laying at the top of prioritising should be: Who in which country is best equipped to gather evidence? That would truly lead to effective actions.

The EU has a chance to reach this level of effectiveness and so has the US. Will they grab it?

If the world learns to use the powers, knowledge and strengths available, Mrs. Malmström's claim "being among friends and colleagues in this room today I'm hopeful we will win this battle" may well come true. It will take effort, courage and will though.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Internet Governance, Law, Malware, Policy & Regulation, Privacy, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

2015 Trends: Multi-channel, Streaming Media and the Growth of Fraud

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Sponsored Topics

Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services


Sponsored by

DNS Security

Sponsored by


Sponsored by