Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:41 PM
Connect Directly

Controversy Erupts Over Microsoft's Recent Takedown Of A Zeus Botnet

Dutch researchers accuse Microsoft of mishandling the recent Zeus botnet takedown and hurting other investigations -- but others defend Microsoft's operation as thorough

The goal of the code of conduct is to take a holistic view of a sinkhole operation that looks at it from a moral, ethical, and legal perspective. Among the questions researchers should answer before a takedown, according to the Honeynet Project: What are the benefits? What are the risks? How do they balance each other? Would it jeopardize law enforcement investigations?

Dave Piscitello, senior security technologist for ICANN, says this issue of "collateral damage" can affect more than the suspension of legit domains, for example, but also other investigations into a botnet. "Absent sufficient information sharing, cooperation, coordination and trust among investigating parties, there is too much room for error or interference, and one party's success can hamper the erstwhile and equally important efforts of others," Piscitello wrote today in a blog post.

He says it makes sense to verify whether domains are actually "harmful" and to "minimize collateral damage" when a botnet is dismantled.

Fox-IT's Sandee alleges that among the domains seized by Microsoft in the Zeus operation were legitimate ones, as well as older, expired ones. Among the legit ones were ones used by security firms and other organizations using sinkholes in search of infected bots they can report to ISPs and others. "So these security companies and NGOs lost a part of their domains and thus a part of their intelligence feed, and were also marked as being potentially a contact for the criminals," Sandee said.

He also contends that the way Microsoft set up its servers allows it to process packet data and gather HTTP requests with full headers and "actually also POST data which will contain sensitive information about the victims, including usernames, email addresses , passwords and personally identifiable information," he said.

Fox-IT also contends that the affidavit contains some of the nicknames, email addresses, and instant messaging handles about the John Does allegedly involved in this cybercrime group that is identical to information it had provided under nondisclosure to a specific mailing list.

"The information therein was 100% identical to information we had supplied to a certain mailing list. This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data. The information was in exactly the same order and contained exactly the same amount of information on those john does that we and also a friendly information security company had provided. Since the order and amount of information was 100% identical, and the data then also being used out of context and misinterpreted, meant that the person who interpreted it did not have the right background to fully understand the data," Sandee wrote.

"For us this felt as a major blow as we spent a lot of time in getting this kind of information, while a corporate giant like Microsoft is now using this information without reaching out to the persons who supplied that information, for their own marketing and public relation purposes," he wrote. "From our end we can confirm that this information was never supplied for the purposes that Microsoft used it for. This whole action of Microsoft brings a major blow to the entire information sharing between information security companies on mailing lists and working groups."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.