The war on botnets

After the major DNS Changer takedown, Tom Brewster looks at how the pendulum has swung in favour of the anti-botnet warriors.

To bring the different sides together, the security industry needed a big player to step up to the plate. Microsoft did just that. It took on the role of chief botnet slayer.

Microsoft hasn't always been the friendliest giant - just look at its various ongoing squabbles with Google - but the Redmond firm has been the linchpin in many significant battles against botnets. It was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. All have formed part of Project Microsoft Active Response for Security (MARS), which has one core aim: "To annihilate botnets and help make the internet a safer place."

"Microsoft has really stepped up in a lot of different ways to try to bring together multiple groups that might not have known each other," Lanstein added. "They've really put a lot of money in going after botnets and it has worked."

The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections. In the case of Kelihos, Kaspersky loaned Microsoft its live botnet tracking system. The Russian company also led the operation to reverse-engineer the bot malware, crack the communication protocol and develop tools to take apart the botnet's the peer-to-peer infrastructure. It was another truly communal effort.

Advertisement
Advertisement - Article continues below

Microsoft should be proud of its work here. No other tech vendor has initiated such a concerted campaign against botnets. That's not to say others haven't played a big part, however. There have been some significant successes that haven't involved Microsoft. The software behemoth was not part of two of the most significant botnet shutdowns in history - Mariposa and DNS Changer. Both of those led to complete disarmament of the bot masters and arrests of suspects.

Microsoft has shown what is possible when everyone cooperates - others have subsequently proven that point: the simple act of sharing is key in identifying botnets and successfully destroying them.

The long arm of the law

Collaboration might be vital, but the nail in the coffin of any botnet is only hammered in if arrests and prosecutions follow. In the past year, a plethora of suspects have been apprehended, but why now? Largely because tech companies and law enforcement have worked out how to twist judges' arms into opening up legal pathways to take botnet infrastructure down before warning its owners.

Just a few years back, efforts to end botnets were not only hampered by an industry as fractious as the Greek Government - the legal system was doing the good guys no favours either. Instead of immediately asking registrars to shut down domains or ordering datacentre owners to allow police to switch off servers helping run botnets, courts required bot-herders be sent warning first.

Now, cyber criminals aren't so lucky. The cases of Waledac and Rustock have set legal precedents that will be of huge benefit to the good guys in the long run. In the case of the former, Microsoft convinced a judge to issue an ex parte temporary restraining order (TRO), which meant Verisign, the administrator of the .com domain registry, had to hand the 276 domains used by Waledac for its command-and-control operations over to the Redmond company. Microsoft achieved this simply by pointing to the continuing harm that would be caused by the botnet if immediate action was not taken.

With Rustock, Microsoft filed a lawsuit against the anonymous operators of the botnet, basing its argument in part on the abuse of Microsoft trademarks in the bot's spam. These clever legal manoeuvres are necessary to open the door to complete botnet destuction.

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

4 Nov 2019
Visit/strategy/28115/the-pros-and-cons-of-net-neutrality
Business strategy

The pros and cons of net neutrality

4 Nov 2019
Visit/domain-name-system-dns/34842/microsoft-embraces-dns-over-https-to-secure-the-web
Domain Name System (DNS)

Microsoft embraces DNS over HTTPS to secure the web

19 Nov 2019
Visit/social-media/34844/can-wikipedia-founders-social-network-really-challenge-facebook
social media

Can Wikipedia founder's social network really challenge Facebook?

19 Nov 2019