Microsoft Raids Tackle Net Crime
Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.
With a warrant in hand from a federal judge authorizing the sweep, the Microsoft lawyers and technical personnel gathered evidence and deactivated Web servers ostensibly used by criminals in a scheme to infect computers and steal personal data. At the same time, Microsoft seized control of hundreds of Web addresses that it says were used as part of the same scheme.
The sweep was part of a civil suit brought by Microsoft in its increasingly aggressive campaign to take the lead in combating such crimes, rather than waiting for law enforcement agencies to act. The company’s targets were equipment used to control the botnets, which criminals, known as bot-herders, use for ill intent.
Microsoft has a big interest in making the Internet a safer place. Despite inroads made by Apple and others in some parts of the technology business, Microsoft’s Windows operating system still runs the vast majority of the computers connected to the Internet. The prevalence of its software has made Windows the most appealing target for online criminals, and the security holes they discover in the software are a persistent nuisance for Windows users.
Microsoft’s involvement in what had been considered largely a law enforcement function — fighting computer crime — is the brainchild of Richard Boscovich, a former federal prosecutor who is a senior lawyer in Microsoft’s digital crimesunit. That group watches over fraud that could affect the company’s products and reputation.
Mr. Boscovich, who handled drug, computer and financial crime cases in Miami in his former job, devised a novel legal strategy to underpin the growing number of Microsoft’s civil suits against bot-herders. Among other things, he argued that the culprits behind botnets were violating Microsoft’s trademarks through fake e-mails they used to spread their malicious software.
Mr. Boscovich said the Friday sweep was meant to send a message to the criminals behind the scheme, whose identities are unknown. “We’re letting them know we’re looking at them,” said Mr. Boscovich after participating in the Pennsylvania raid, in Scranton.
Before Friday’s sweep, Microsoft attacked three botnets in the last couple of years through civil suits. In each case, Microsoft obtained court orders that permitted it to seize Web addresses and computers associated with the botnets without first notifying the owners of the property. The secrecy was necessary, Microsoft argued, to prevent criminals from re-establishing new communications links to their infected computers.
Some security experts said Microsoft’s tactics had been effective, even if they had not eradicated the scourge of botnets.
“Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed,” said Richard Perlotto, director at the Shadowserver Foundation, a nonprofit group that tracks data about tools used for online fraud and forms of computer crime.
Mr. Perlotto and Microsoft said they did not see civil legal action against people who commit online crime as a replacement for law enforcement action, which can result in much stiffer criminal penalties. “We equate this to a neighborhood watch,” Mr. Boscovich said.
Jose Nazario, a senior security researcher at Arbor Networks, an Internet security firm, said that Microsoft’s record against botnets had been a “mixed bag” and that some of its gains were only temporary. After an earlier action against a botnet known as Waledac, for example, the software behind it was modified slightly to create a new botnet.
“You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again,” Mr. Nazario said.
The computers that make up a botnet are usually conscripted without the knowledge of their owners, who unwittingly infect their machines after clicking on links in legitimate-looking e-mails for things like security updates from Microsoft and notices of tax refunds from the Internal Revenue Service. Clicking those links takes users to Web sites that exploit security holes in their browsers or other programs on their computers.
Criminals use the holes to install malicious programs that siphon personal information from the infected computers, like online bank account passwords and credit card numbers. They can also harness the infected machines to send millions of e-mail messages to other users on the Internet, including scam messages that help propagate the botnet. Sometimes botnets are rented to clients to send spam messages advertising products like counterfeit pharmaceuticals.
On Friday, Microsoft was attacking its most complex target yet, known as the Zeus botnets. The creators of Zeus offer their botnet code for sale to others and, depending on the level of customer support and customization of the code that clients require, charge them $700 to $15,000 for the software, Microsoft said in a lawsuit filed in federal court in Brooklyn on March 19.
That, in turn, has resulted in many variants of Zeus botnets, making them harder to combat. Most of them are aimed at perpetrating various financial scams against online victims. Mr. Boscovich of Microsoft said he had a “high degree of confidence” that the unnamed culprits behind Zeus were in Eastern Europe.
To carry out the scams, they have hired people known as money mules to travel to different countries, including the United States, to set up bank accounts so they can receive transfers of stolen money from victims’ accounts, Microsoft said in its complaint. Microsoft said that the Zeus botnets had enabled the theft of more than $100 million from victims since 2007 and that 13 million computers were infected with some form of software associated with it.
Because of the financial fraud involved, Microsoft rallied support from two financial industry associations — the Financial Services Information Sharing and Analysis Centerand the National Automated Clearing House Association— both of which filed court declarations endorsing Microsoft’s sweep on Friday.
Microsoft does not believe the operators of the facilities it raided on Friday, which rent space to clients on computers connected to the Internet, are in league with the people behind the botnets. And those operators said they had no idea that equipment inside their facilities was being used to issue commands to Zeus.
“It’s very difficult, unless they draw attention to themselves, to pick up on it,” said Joe Marr, chief technology officer of BurstNet Technologies, the facility in Scranton that Microsoft entered Friday.
Mr. Boscovich said he did not think the Friday sweep would be as big a blow to Zeus as Microsoft’s previous actions against botnets, but he said it was just the beginning of actions aimed at raising the cost of doing business for the botnet’s masterminds. “The plan is to disrupt, disrupt, disrupt,” he said.