Home / Blogs

Public Private Cooperation: The Zeus Take Down Example

Wout de Natris

Microsoft took down a Zeus botnet recently. Within days it was publicly accosted by Fox-IT's director Ronald Prins for obstructing ongoing investigations and having used Fox-IT's data. This was followed by the accusation that Microsoft obstructs criminal proceedings by divulging online aliases of digital, undercover investigators after a served court order into these e-mail addresses and sharing them online.

On top of all this EU Commissioner Cecilia Malmström announced that cooperation between law enforcement and industry will be forged in the European Cyber Crime Centre as of 2013. Coincidences do not exist. Why?


When I heard about McColo first, the international spam fighting community of the London Action Plan met at eco in Wiesbaden, Germany. It was not during a presentation at the workshop, mind, no, it sort of syphoned through. Not one of the spam fighters present knew anything about it. This amazed me and also made me feel a little ashamed. How was this possible? Pretty soon the botnet was back online and serving the world its daily ration of spam.

Botnets are vulnerable

What McColo did show the world that its possible to stop bots from spewing spam and malware, as with all things it's possible to go for the root and take it down. Even if the owner(s) are sort of invincible for now.

Several bots were taken down since. Some by Microsoft, some by coordinated police actions. And now both sides are fighting it out in the press, fighting each other instead of focussing on the common enemy: the bots/botherders. But hey, there's a lesson here and stop overlooking it: both are successful!

Lessons from OPTA

In my years at OPTA, the Independent Post and Telecommunication Authority, as spam fighter, I specialised in human relations. Why? We soon found out that visiting a company that is somehow involved in sending spam, could also be the subject of other investigations. So we always checked with colleague organisations. At first they didn't really know who we were, but after a while it became standard practice. Even better, it led to a regular informal meeting on cyber crime of most Dutch organisations involved with online enforcement, which I had the honour to chair for several years. At present, I've been told, relations are even much more formal, copying the ISAC model of information sharing. The best lesson learned here, was that openness comes from both sides, not just one. Let's keep this thought in mind.

Lessons from Microsoft and Fox-IT

What seems clear to me is that a company like Microsoft has tremendous resources that outdo most national police organisations'. These investigative resources should not be lost due to a, it seems like, badly coordinated, but unintentional, action. If the clamour shows something, it is that both sides need to be more open to each other and learn to use respective strengths and avoid weaknesses.

It is not without a good reason that in some countries it is possible to go for private actions in court against spammers and worse. This needs investigation, evidence and resources. Microsoft uses this possibility to go after the biggest spammers.

Unfortunately, uncoordinated a civil (class)action can intrude on or even disrupt criminal or administrative investigations of months or even years of preparation. Leading to the loss of evidence, the warning of criminals and even news reports like the ones at the base of this article. Reports damaging reputations at all sides, whether just or not. While both go for the same target. This solution seems sub-optimal to me. But where can the two meet in a trusted space?

The EU Cyber Crime Centre: trust and coordination

If the European Cyber Crime Centre is to act strongly where cooperation is concerned, it is to make sure that actions and investigations are well coordinated. It has to start with building an environment of trust. Also with industry.

If public and private organisations learn to trust each other and from there to coordinate, they can actually choose which way forward would be the most effective. This means that the EU Centre not only has to coordinate with industry, but that it becomes the centre stage of coordination for all investigations on the Internet. Not only for police, but also spam, malware, privacy and fraud investigations. The question laying at the top of prioritising should be: Who in which country is best equipped to gather evidence? That would truly lead to effective actions.

The EU has a chance to reach this level of effectiveness and so has the US. Will they grab it?

If the world learns to use the powers, knowledge and strengths available, Mrs. Malmström's claim "being among friends and colleagues in this room today I'm hopeful we will win this battle" may well come true. It will take effort, courage and will though.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cybercrime, Cybersecurity, Internet Governance, Law, Malware, Policy & Regulation, Privacy, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals