I will first begin this post by emphasizing that this article is entirely my personal viewpoint and not to be considered as endorsed by or a viewpoint of my employer or any other organization that I am affiliated with. Neither is this to be considered an indictment of the sterling work (which I personally value very highly) that several people in Microsoft are doing against cybercrime.
Microsoft's takedown of 3322.org to disrupt the Nitol botnet is partial (3322 is not the only dynamic DNS provider Nitol uses) and will, at best, have a temporary effect on the botnet itself, as Damballa's Gunter Ollmann says in a previous CircleID post. Brian Krebs goes into much more detail on just how partial this takedown is, in his blog post.
This is the second such recent high profile takedown by Microsoft — the last one was a takedown of several domains used by the Zeus botnet, which is still alive and well, after a temporary dip because of the takedown.
Microsoft's Terry Zink, who I have a lot of respect for and consider a good friend whose comments on security issues I particularly value, has a balanced article posted earlier on CircleID where he argues the merits of this takedown, and makes a cogent case for the Microsoft strategy of "disrupt, disrupt, disrupt".
Terry's post also quotes Arbor's Jose Nazario, who points out, correctly, that such takedowns must be comprehensive to root out the botnet, and also need to be backed by arrests to ensure that the disruption is complete. Jose, as another expert with decades of experience on the front lines of internet security, is entirely correct here.
In this 3322 takedown though, Microsoft has crossed a significant line in their enforcement actions.
They have not disrupted Nitol by taking over a domain that was registered by a cybercriminal and exclusively used to provide command and control for the botnet. They have taken over a dynamic DNS provider, admittedly one with a massive infestation of cybercriminals and a history of lackadaisical abuse prevention (which tends to attract even more spammers and botmasters), but which has millions of legitimate chinese users.
A dynamic DNS service is what you tend to use if, for example, you need remote access to a webcam, playstation or similar device that's on your home network, connected over a dynamic IP broadband connection. Legitimate traffic to these webcams and such will ideally not be disrupted by Microsoft's taking over 3322.org DNS and proxying DNS requests back to 3322 for hostnames other than those that it deems malicious.
However, individual users and small businesses do use 3322.org and similar dynamic DNS providers to run mailservers on broadband lines. 3322.org's actual use cases (based on their product offering) appear geared to home users, who want a hostname that will provide them fast and load balanced external access to devices in their home, and let a small business run a mailserver on a static IP broadband line while outsourcing their DNS to 3322.
3322's website says that their service is named "PubYun" — which is suggestive of what they see their service as. "Yun" is chinese for "Cloud" and they see their DNS service as helping their customers get a cheap "public cloud".
The collateral damage from this seizure means that 3322's public cloud has been disrupted for potentially millions of legitimate users, none of whose traffic goes anywhere at all near microsoft.com or is any way related to Nitol or other botnets.
While ns*.microsoftinternetsafety.net, which Nominum operates for Microsoft to proxy this siezed domain, proxies A record lookups to 3322's nameservers, it returns a SERVFAIL when it gets a query for, say, an MX record for a 3322 hostname. This means that people who use a 3322.org hostname for their email (and they do exist) need to change their email addresses.
As Krebs points out, 3322 is actively helping their customer base that's affected in any way by this seizure to migrate out to other DNS names. Which means that there is substantial collateral damage which 3322's support team is helping to address by providing alternate hostnames to affected users.
Still, in Microsoft's defense, 3322 has, over the past several years, had a massive infestation of cybercriminals creating and cycling through thousands of hostnames for botnet command and control, spam and other malicious activity.
3322 has been unresponsive to complaints, and where they don't take action, there does need to be some community action to defend itself against this unchecked malicious traffic.
If this action had extended merely to blocking 3322 on Microsoft's corporate infrastructure and websites that it controls that were targeted by bots with command and control on 3322 hostnames, that'd have been fine, and perfectly justified. If antivirus or spam filter providers were to tag URLs and traffic related to 3322.org as potentially malicious, that too might be quite easily justifiable.
Before it comes to takedown —
Did Microsoft reach out to other Chinese organizations to mitigate Nitol?
Did Microsoft try to work with 3322.org's upstream internet providers etc? And if (as I suspect) they did not respond appropriately, did they contact the Chinese CERT to see if they could take action?
Though, as China has historically had a lot of bot activity over the past several years, I am not entirely sure that CN-CERT has been quite as effective as one would expect a national CERT to be. However China has a massive problem with botnets and presumably CN-CERT's resources and reach are limited and not quite capable of sufficiently dealing with this issue?
Previous indications (such as in this article about their lack of timely response to some SCADA malware) suggest that they receive thousands of emails a day and may lack the staff to process those emails and act on them in a timely fashion.
So, to be charitable, let me assume that Microsoft has tried these options and failed to get any actual results from them.
Now, what are Microsoft's goals in this takedown?
Quick results (and yes, lots of headlines in the newspapers) as in the partial takedown of Zeus by siezing and sinkholing a few of its domain names while leaving a large part of Zeus' command and control infrastructure untouched, providing active scope for the criminals behind Zeus (free and un-arrested) to work around this siezure?
There's a similar pattern in this new partial takedown of Nitol (which uses a bunch of other chinese dynamic DNS providers, who have more or less equally patchy records on abuse mitigation and just as large a cybercrime problem as 3322 does).
So, in the medium to long term run, all that Microsoft DCU and Mr. Boscovitch have achieved are laudatory quotes in various newspapers and a public image as fearless and indefatigable fighters waging a lone battle against cybercrime.
That manifestly is not the case. There are several other organizations (corporations, independent security researchers, law enforcement across several countries) that are involved in studying and mitigating botnets, and a lot of their work just gets abruptly disrupted (jeopardizing ongoing investigations, destroying evidence and carefully planted monitoring).
Some of them allege, as did Fox-IT's Michael Sandee, that Microsoft's court filings also contain "some of the nicknames, email addresses, and instant messaging handles about the John Does allegedly involved in this cybercrime group that is identical to information it (meaning Fox-IT) had provided under nondisclosure to a specific mailing list."
The seized domains in the Zeus takedown included domains that had been set up by various researchers and law enforcement as sinkholes to monitor the botnet — infrastructure that had to be painfully rebuilt from scratch after the takedown suddenly disrupted it without a word of warning to the security community at large.
Sandee is quite correct that there is a much larger community of people and organizations involved in this, and takedowns ought to be coordinated, and informally communicated on a need to know basis with enough stakeholders that any potential pitfalls can be avoided. Investigations need not be disrupted, and massive collateral damage (as was caused by Microsoft and Nominum's failure to proxy anything other than A records) might have been avoided.
Taking botnet threats down the way the Conficker Working Group has, in the past, with global coordination, is much more effective — comprehensive, and truly surgical in scope (Microsoft's 3322 takedown was about as surgical as a fire ax is).
Except that such initiatives just don't generate the sort of wildly laudatory press coverage that Microsoft's PR department is capable of generating, to cast it as something in the mould of the Lone Ranger or the Batman — mask, secret identity and underpants worn outside the costume an optional extra.
In the golden age of the DC comicsverse, the role of the police is limited to switching the bat signal on, and carting the Joker or the Penguin off to Arkham Asylum at the end of the episode, and the general public is there solely to provide appropriate background noises (squeals of fear, applause ...).
In the real world of botnet mitigation, not coordinating with the security community at large is a major mistake and it has led to, in both the Zeus and Nitol cases, a partial, botched takedown, and a non trivial amount of collateral damage.
Another of my good friends and longtime CircleID poster Wout deNatris suggests a model for effective public private cross border coordination in such takedown actions. Other security practitioners, such as from the Honeynet Project, have proposed a code of conduct for such takedowns, that stresses multistakeholder cooperation and maintaining confidentiality.
Neither of these models appear to suit Microsoft DCU's current strategy of quick, high profile takedowns of a few domains, coupled with a publicity blitz that makes it sound like Nitol and Zeus have been buried with a stake through their hearts (though that interpretation might be one that individual reporters have, rather than one that Microsoft explicitly gives them).
This strategy of partial, high profile takedowns, coupled with a cavalier disregard for coordination with other stakeholders, is ultimately harmful to botnet mitigation.
It makes the botnets more resilient and future generations of botnets will cope much better with partial disruption. An analogy would be the way that taking antibiotics to cure Tuberculosis, but not following the recommended dosage has caused the TB bacteria to develop resistance to the antibiotics they're commonly treated, resulting in the development of extensively drug resistant (XDR) tuberculosis that needs treatment with yet more powerful antibiotics, to which it may develop even further resistance.
It makes the security community at large begin to distrust Microsoft and be wary of sharing confidential information even with those stakeholders from Microsoft that it has worked constructively with in the past. Especially confidential information involving botmasters, gained undercover, which can, if rashly disclosed in public court filings, potentially disrupt other active investigations, or worst case, pose a threat to the lives of various computer security and law enforcement people who have infiltrated the botnet.
Still further, it bolsters the claims of nations like China who are pressing for an end to US control of substantial parts of the Internet including the root servers, ICANN and IANA.
Of course, .org, as a gTLD controlled by a US based organization (PIR), is at a level below that at which China and other nations support international control and regulation of the Internet. My concern is that this incident will possibly lead to expansion of the scope of just what is demanded to be brought under international control and regulation, especially with the ITRs coming up for modification at the WCIT in Dubai later this year.
I will conclude this article by asking Microsoft's DCU and Mr. Boscovitch personally whether they really have thought through all the implications of their continuing to play a lone hand in this game. Microsoft is a valuable stakeholder in international cybercrime enforcement, and it would be excellent to see them contribute constructively in this area rather than prefer their current course of action which trades limited short term gains and massive publicity for longer term, possibly permanent damage to international cooperation against cybercrime.
By Suresh Ramasubramanian, Architect, Antispam and Compliance
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Neustar DDoS Protection
Minds + Machines