Botnet Takedown: Collaboration in ActionSetting Expectations for Vendors' Roles in Investigations
Last week's takedown of more than 1,400 botnets used to spread the banking Trojan known as Citadel could shape the role software companies will be expected to play in malware and cybercrime investigations, participants in the takedown say (see Microsoft, FBI Take Down Citadel Botnets).
The takedown, which involved the Microsoft Digital Crimes Unit, the Financial Services Information Sharing and Analysis Center and other private-sector partners, including online security firm Agari, illustrates an emerging expectation federal and international authorities have for more collaboration from vendors to help stunt cybercrime.
"Our motivation is to keep turning the vice on cybercriminals," says FS-ISAC spokesman Greg Garcia. "This is the second botnet operation where we've supported Microsoft and law enforcement. We're taking action for three compelling reasons: We can reduce the financial costs of cyberfraud; we're sending criminals a message that their exploits are increasingly risky and costly for them; and we want customers to know we are doing everything we can to protect their assets and confidence in the financial system."
In March 2012, the Digital Crimes Unit initiated a similar takedown involving Zeus botnets. Microsoft and the FS-ISAC claimed that the groundbreaking collaborative effort, known as Operation B71, resulted in the foiling of a financial fraud enterprise.
More Private-Sector Collaboration
The need for public-private collaboration is noted by Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit.
"Taking down botnets requires a collaborative effort and no single organization can do it alone," he says. "Partnerships are a very important part of our botnet operations and we are grateful for their support and determination to make the Internet safer for everyone. While we work closely with law enforcement on a number of initiatives, Microsoft believes the private sector has an essential role to play to address the increasing complexities of cyber-crime. With continued successes in responsible cooperation amongs industry, academic researchers, law enforcement agencies and governments worldwide, as you have begun to see in the disruption of botnets, we believe that the global community is at a very exciting turning point in the fight against cybercrime."
Microsoft also says it expects to increase its involvement in these types of partnerships. In a blog posted last week, Boscovich noted the most recent takedown, known as Operation b54, was Microsoft's most aggressive to date, and that private-sector involvement played a critical role.
The American Bankers Association, NACHA - The Electronic Payments Association, and security vendors A10 Networks and Nominum also assisted with the investigation.
The increasing level of sophistication exhibited by the attackers behind today's cybercrimes warrants more cooperation and collaboration among those fighting back, says Pat Peterson, founder and CEO of Agari. "We must continue to be vigilant against these criminals as they grow more and more sophisticated," he says. "The reach of this crime ring should remind everyone to remain alert on a daily basis."
But financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says that while Microsoft's work in the takedown proved helpful, and was welcomed by the industry, the company's energies would be better spent on enhancing product security. "It would be even more helpful if they baked more security into their software to prevent the attacks in the first place," she says.
For its part, Microsoft has said it expects, going forward, to send updated threat data through its new Windows Azure-based Cyber Threat Intelligence Program, as well as its original email-based version of C-TIP. C-TIP allows Internet service providers and CERTs to more quickly and efficiently notify people in their region or country of malware attacks and computer infections, and provide them with cleanup tools to remove the dangerous threats, Boscovich says.
On June 5, partners involved in the botnet operation takedown, accompanied by U.S. Marshals, seized data and evidence, including computer servers, from botnet hosting facilities in New Jersey and Pennsylvania. A search warrant granted as part of a civil suit paved the way for gaining access to the data and computer servers.
Microsoft says it also shared information about the botnets' operations with international computer emergency response teams to help address botnets outside the U.S.
FS-ISAC, NACHA, the ABA and Agari all supported Microsoft's civil lawsuit by serving as declarants in the case, Microsoft says. Agari also provided forensic data, and A10 Networks and Nominum provided technology to help take the botnets down.
Citadel is keylogging malware, which monitors and records keystrokes on infected computers. Authorities say the Citadel botnets taken offline had been connected to financial losses worth more than a $500 million.
Microsoft estimates Citadel has infected an estimated 5 million computers in more than 90 countries worldwide.