Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks
Crime and Terrorism
Date: Tuesday, July 15, 2014 Add to my Calendar
Time: 02:30 PM
Location: Dirksen 226
Presiding: Senator Whitehouse (D-RI)

The background is of course quite interesting, given how soon it has followed Microsoft’s seizure of several domains belonging to Dynamic DNS provider no-ip.com for alleged complicity in hosting trojan RAT gangs, a couple of days after which the domains were subsequently returned—without public comment—to Vitalwerks, the operator of No-IP.

This is by no means a new tactic for Microsoft, who has carried out successful seizures of various domains over the past two or three years.

There was some initial criticism, including a CircleID post that I wrote, when they first began to do this back in 2012, with their seizure of Chinese dynamic DNS provider 3322.org, scant weeks before the 2012 WCIT in Dubai, mind you.

Back during l’affaire 3322 and since then, public criticism has mostly been muted—and mostly by some of the more outspoken individuals in the security community. Others evidently preferred that essential tool of diplomacy—a masterly silence.

Meanwhile, Microsoft continued with their strategy, taking down domains involved in Zeus and Citadel.

In both these cases, the domains seized were entirely malicious, solely used by the botnets and so their seizure disrupted maybe some researchers who were understandably upset, possibly (I wouldn’t know) other law enforcement around the world that might have been monitoring Zeus only to find their investigations rudely disrupted… but no collateral damage to John Q Public. So, more of the same muted criticism in public, fiercely opinionated conversations in private.

Back then, there were some concrete suggestions made—by Wout de Natris advocating public private cooperation in botnet takedowns on CircleID, and by the Honeynet Project, which developed a code of conduct on botnet takedowns.

Business as usual, so to speak, with Microsoft’s only response being to rebut such criticism as overblown, and making the reasonably valid case that the bot domains in question were genuine threats that were causing substantial harm to the general public while they were left up.

The no-ip seizure turned this situation around fast. There was massive collateral damage, much closer to home and with No-IP having a rather larger userbase than previous takedown targets in China or Europe.

The casualties of this friendly fire seizure included monitoring cams for seniors with dementia, internet connected alarm systems, online multiplayer games… that sort of thing, which ignited a firestorm of criticism, including in mainstream publications like Forbes, rather than just the IT industry trade press.

As I pointed out in my 2012 CircleID post, it occurred during the 3322 takeover as well, but that was all in far distant China, with nobody any local media knew being affected). In the case of No-IP, the collateral damage was immediate, hard hitting and easily visible.

This appears to have caused the tide to turn—and in record time.

Today, I saw a link to this Senate hearing, announced within days of the no-ip takedown and subsequent return.

Minutes later, I saw this other very interesting article, in which a Microsoft program manager admits to internal doubts about the efficacy of these takedowns for anything other than PR, and urges cooperation between Microsoft and the security community.

That is something I said in my 2012 CircleID post as well, and that is what several people whose opinion I respect have assured me—in personal mail, over drinks at a conference reception… but mostly if not always in a private conversation, so it is refreshing to see a public acknowledgement of this, and a good sign if such introspection is actually taking place at Microsoft.

The article says, and I quote,

Speaking in Boston at the 26th annual FIRST Conference, Holly Stewart, a Senior Program Manager at Microsoft gave a sober assessment of the software industry’s fight against cyber criminal groups and other malicious actors.

Despite some high profile take-down actions against botnets and prominent families of malicious software like Citadel, Zeus and SpyEye, the company sees the gains of such efforts as short lived. Take downs- often carried out in coordination with international law enforcement often had more value as public relations than anything else, Stewart said.

“We haven’t been able to scale enough to tip the malware problem,” Stewart told the audience.

I for one welcome our new co-operators. As Hamlet said in his soliloquy, ” ‘Tis a consummation. Devoutly to be wished”.

PS: All this is, like the disclaimer in my CircleID profile says, entirely my personal opinion and I’m, as always on CircleID, speaking only for myself.