Home / Blogs

Public Private Cooperation: The Zeus Take Down Example

Wout de Natris

Microsoft took down a Zeus botnet recently. Within days it was publicly accosted by Fox-IT's director Ronald Prins for obstructing ongoing investigations and having used Fox-IT's data. This was followed by the accusation that Microsoft obstructs criminal proceedings by divulging online aliases of digital, undercover investigators after a served court order into these e-mail addresses and sharing them online.

On top of all this EU Commissioner Cecilia Malmström announced that cooperation between law enforcement and industry will be forged in the European Cyber Crime Centre as of 2013. Coincidences do not exist. Why?


When I heard about McColo first, the international spam fighting community of the London Action Plan met at eco in Wiesbaden, Germany. It was not during a presentation at the workshop, mind, no, it sort of syphoned through. Not one of the spam fighters present knew anything about it. This amazed me and also made me feel a little ashamed. How was this possible? Pretty soon the botnet was back online and serving the world its daily ration of spam.

Botnets are vulnerable

What McColo did show the world that its possible to stop bots from spewing spam and malware, as with all things it's possible to go for the root and take it down. Even if the owner(s) are sort of invincible for now.

Several bots were taken down since. Some by Microsoft, some by coordinated police actions. And now both sides are fighting it out in the press, fighting each other instead of focussing on the common enemy: the bots/botherders. But hey, there's a lesson here and stop overlooking it: both are successful!

Lessons from OPTA

In my years at OPTA, the Independent Post and Telecommunication Authority, as spam fighter, I specialised in human relations. Why? We soon found out that visiting a company that is somehow involved in sending spam, could also be the subject of other investigations. So we always checked with colleague organisations. At first they didn't really know who we were, but after a while it became standard practice. Even better, it led to a regular informal meeting on cyber crime of most Dutch organisations involved with online enforcement, which I had the honour to chair for several years. At present, I've been told, relations are even much more formal, copying the ISAC model of information sharing. The best lesson learned here, was that openness comes from both sides, not just one. Let's keep this thought in mind.

Lessons from Microsoft and Fox-IT

What seems clear to me is that a company like Microsoft has tremendous resources that outdo most national police organisations'. These investigative resources should not be lost due to a, it seems like, badly coordinated, but unintentional, action. If the clamour shows something, it is that both sides need to be more open to each other and learn to use respective strengths and avoid weaknesses.

It is not without a good reason that in some countries it is possible to go for private actions in court against spammers and worse. This needs investigation, evidence and resources. Microsoft uses this possibility to go after the biggest spammers.

Unfortunately, uncoordinated a civil (class)action can intrude on or even disrupt criminal or administrative investigations of months or even years of preparation. Leading to the loss of evidence, the warning of criminals and even news reports like the ones at the base of this article. Reports damaging reputations at all sides, whether just or not. While both go for the same target. This solution seems sub-optimal to me. But where can the two meet in a trusted space?

The EU Cyber Crime Centre: trust and coordination

If the European Cyber Crime Centre is to act strongly where cooperation is concerned, it is to make sure that actions and investigations are well coordinated. It has to start with building an environment of trust. Also with industry.

If public and private organisations learn to trust each other and from there to coordinate, they can actually choose which way forward would be the most effective. This means that the EU Centre not only has to coordinate with industry, but that it becomes the centre stage of coordination for all investigations on the Internet. Not only for police, but also spam, malware, privacy and fraud investigations. The question laying at the top of prioritising should be: Who in which country is best equipped to gather evidence? That would truly lead to effective actions.

The EU has a chance to reach this level of effectiveness and so has the US. Will they grab it?

If the world learns to use the powers, knowledge and strengths available, Mrs. Malmström's claim "being among friends and colleagues in this room today I'm hopeful we will win this battle" may well come true. It will take effort, courage and will though.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Internet Governance, Law, Malware, Policy & Regulation, Privacy, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Sponsored Topics



Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines


Sponsored by

DNS Security

Sponsored by