Controversy Erupts Over Microsoft's Recent Takedown Of A Zeus Botnet

Dutch researchers accuse Microsoft of mishandling the recent Zeus botnet takedown and hurting other investigations -- but others defend Microsoft's operation as thorough

Microsoft's unprecedented aggressive legal strategy in botnet takedowns came under fire from researchers in the Netherlands, charging that the software giant's most recent botnet dismantlement operation has ultimately damaged international law enforcement and private research investigations.

Michael Sandee, principal security expert at Netherlands-based Fox-IT, wrote in a blog post today that rather than truly injuring the Zeus botnet operations last month, Microsoft instead has hampered investigations into these operations by its actions last month of removing and confiscating two of the command-and-control (C&C) servers under a federal court order. With U.S. marshals escorting them, a team from Microsoft, FS-ISAC, which represents 4,400 financial institutions, and NACHA on March 23 physically removed C&C servers used in the operation that were running out of two hosting services centers -- one in Scranton, Pa., and the other in Lombard, Ill. -- which resulted in the takedown of two IP addresses of the C&C infrastructure.

Microsoft acknowledged at the time that the operation would not stop Zeus-based operations, and that the goal was not to permanently kill all of the Zeus botnets targeted in the operation, but instead to disrupt this segment of the operation.

But Fox-IT's Sandee says Microsoft's actions did harm to the good guys. "Microsoft has endangered the success of countless ongoing investigations in both the private as the public sector all over the world from east to west," Sandee said in his post today. "Obviously as most of these folks are located in Russia and Eastern Europe, the cooperation between parties in those regions and in western countries on both public and private sector side has been hurt more than you can expect, and also years of trust building has potentially been lost ... In our discussions with Law Enforcement Officers, private investigators and members of NGOs researching these threats from across the globe we have found nothing but disappointment and disbelief regarding the irresponsible actions executed by Microsoft. Various other researchers have outed their disappointment."

Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, said in a statement that Fox-IT's post "is based at least in part on some factual misunderstandings about the operation which we are more than happy to discuss with Fox IT."

Boscovich says he can't comment on details of the case because it's a legal matter, but noted that the details in the court filings are not all of the evidence and intelligence gathered in the operation. "To be clear, information in the legal filings for this case came from Microsoft's independent research as well as information provided by third party partners and researchers with their explicit permission and intent for inclusion, sourced from their own research or what they hold from sources widely exchanged within the security community," he said. "There are times when, for operational security reasons, we cannot provide advance information to all researchers out there monitoring a particular threat and there are, by law, firm restrictions on investigative collaboration between private companies and law enforcement. Despite these limitations, Microsoft's commitment to trustworthy partnership with the research and enforcement community has never wavered."

Microsoft's legal team was conspicuously missing from the most recent takedown of the second-generation Kelihos botnet, a.k.a. Hlux.B or Kelihos.B, which was spearheaded by Kaspersky Lab, CrowdStrike, Dell SecureWorks, and The Honeynet Project. They poisoned the peer-to-peer network-based botnet with their own code, which initially diverted some 110,000 infected machines to their sinkhole server and out of the hands of the botnet operators.

Kelihos/Hlux (a.k.a. Hlux/Kelihos), which was initially taken down in the fall by Microsoft, Kaspersky, and researchers from several other organizations, had been spotted by researchers re-emerging over the past few months with a new version of its malware.

[The shutdown of Waledac 2.0 by Microsoft and Kaspersky aims to send a message, but also raises questions, legal and otherwise. See Microsoft: No Resurrection For Dead Botnets. ]

Fox-IT is one of the first security firms to voice growing concerns about the ramifications of botnet takedowns in general. Previously, other security experts have quietly or carefully voiced their worries about the legal and ethical issues surrounding these operations.

The Honeynet Project has led the industry in helping define proper botnet takedown procedures. Botnet takedowns are complicated and care must be taken not to overstep the legal or other boundaries, according to Honeynet officials.

Christian Seifert, chief communications officer for the Honeynet Project, and Dave Dittrich, chief legal and ethics officer for the Honeynet Project, say that Microsoft was clear up front with the Zeus operation. "Microsoft clearly defined beforehand intention, justification, harm/benefit of their operation and, as such, went beyond what others may do," they said in a statement.

Sandee's points about sources and sharing information, however, were valid, they said. "One should attribute sources, share data and intent if possible, minimize harm to other fellow researchers, etc."

The Honeynet Project recently issued a proposed code of conduct for these operations to ensure that the benefits outweigh the risks. "Again, our hope is that the code of conduct guides researchers in making the risk/benefit assessment in a systematic way and construct their operation in a way that maximizes benefits and minimizes harm. It's not a black/white world though, so there is not going to be a situation where we only have benefits and no harm/risks," they said.

Next Page: A 'Code of Conduct' for botnet takedowns The goal of the code of conduct is to take a holistic view of a sinkhole operation that looks at it from a moral, ethical, and legal perspective. Among the questions researchers should answer before a takedown, according to the Honeynet Project: What are the benefits? What are the risks? How do they balance each other? Would it jeopardize law enforcement investigations?

Dave Piscitello, senior security technologist for ICANN, says this issue of "collateral damage" can affect more than the suspension of legit domains, for example, but also other investigations into a botnet. "Absent sufficient information sharing, cooperation, coordination and trust among investigating parties, there is too much room for error or interference, and one party's success can hamper the erstwhile and equally important efforts of others," Piscitello wrote today in a blog post.

He says it makes sense to verify whether domains are actually "harmful" and to "minimize collateral damage" when a botnet is dismantled.

Fox-IT's Sandee alleges that among the domains seized by Microsoft in the Zeus operation were legitimate ones, as well as older, expired ones. Among the legit ones were ones used by security firms and other organizations using sinkholes in search of infected bots they can report to ISPs and others. "So these security companies and NGOs lost a part of their domains and thus a part of their intelligence feed, and were also marked as being potentially a contact for the criminals," Sandee said.

He also contends that the way Microsoft set up its servers allows it to process packet data and gather HTTP requests with full headers and "actually also POST data which will contain sensitive information about the victims, including usernames, email addresses , passwords and personally identifiable information," he said.

Fox-IT also contends that the affidavit contains some of the nicknames, email addresses, and instant messaging handles about the John Does allegedly involved in this cybercrime group that is identical to information it had provided under nondisclosure to a specific mailing list.

"The information therein was 100% identical to information we had supplied to a certain mailing list. This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data. The information was in exactly the same order and contained exactly the same amount of information on those john does that we and also a friendly information security company had provided. Since the order and amount of information was 100% identical, and the data then also being used out of context and misinterpreted, meant that the person who interpreted it did not have the right background to fully understand the data," Sandee wrote.

"For us this felt as a major blow as we spent a lot of time in getting this kind of information, while a corporate giant like Microsoft is now using this information without reaching out to the persons who supplied that information, for their own marketing and public relation purposes," he wrote. "From our end we can confirm that this information was never supplied for the purposes that Microsoft used it for. This whole action of Microsoft brings a major blow to the entire information sharing between information security companies on mailing lists and working groups."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights