Microsoft versus the botnet Gods

By Chris Davies/March 26, 2012 2:58 am EST

Microsoft launched a surprise raid on botnet operators late last week, it's been revealed, though experts suggest the strike against Zeus may deliver only very short-term gains. The company seized servers, domain names and other evidence from two offices in Pennsylvania and Illinois on Friday, March 23, the NYTimes reports, challenging those who harvest credit card and other personal data from unwitting internet users – as well as potentially turning their PCs into DDOS weapons – rather than waiting for federal agencies to get into gear.

The decision to use civil action rather than simply report cases of suspected malware and botnets was made by Richard Boscovich, federal prosecutor turned senior lawyer in the digital crimes unit at Microsoft. By arguing that botnet operators violate Microsoft trademarks in their phishing emails, damage the company's reputation, and commit fraud that can affect its products, the team can secure warrants from federal judges to remove servers and other hardware, in effect yanking the brain from the malicious network.

Botnets rely on a series of compromised PCs that can funnel personal data to their operators, harvesting credit card, email, address, password and other valuable information as users inadvertently browse. They can also be harnessed as a tool for bringing down websites, with botnet operators offering to overload pages with a constant stream of traffic – known as a distributed denial of service attack (DDOS) – by remotely controlling the infected PCs.

Those infections are often prompted by spam emails that invite users to click on links purportedly from Microsoft, fake lottery companies and others: while the emails and subsequent sites often look authentic, with botnet operators using official logos, text and other elements to convince, they generally install software on the user's PC to allow them to subsequently monitor and control it.

However, while Microsoft has been commended by some for its security team's lateral thinking on botnet decapitation, others are less convinced. "You can take out a botnet, but unless you take down the coders and put the clients behind bars, they're just going to go ahead and do this again" security research Jose Nazario of Arbor Networks argues. To some extent Microsoft agrees: it concedes that the two offices raided last week were likely unconnected with those actually operating the Zeus botnet, and that the hardware there was merely one element of the overall system.

Still, Boscovich argues that the process is still valuable. "We're letting them know we're looking at them" he said.