Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.
Since Microsoft announced Operation B71, I’ve heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a majority of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).
At the time, nobody I’d heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft’s actions as “irresponsible,” and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.
“This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with,” wrote Michael Sandee, Principal Security Expert at Fox IT. “It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”
Sandee said that a large part of the information that Microsoft published about the miscreants involved was sourced from individuals and organizations without their consent, breaking various non-disclosure agreements (NDAs) and unspoken rules.
“In light of the whole Responsible Disclosure debate [link added] from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests,” Sandee wrote.
Given the strong feelings that Microsoft’s actions have engendered in the Fox IT folks and among the larger security community, I reached out to Richard Boscovich, a former U.S. Justice Department lawyer who was one of the key architects of Microsoft’s legal initiative against ZeuS. One complaint I heard from several researchers who believed that Microsoft used and published data they uncovered was that the company kept the operation from nearly everyone. I asked Boscovich how this operation was different from previous actions against botnets such as Rustock and Waledac.
Boscovich: It’s essentially the same approach we’ve done in all the other operations. The problem that I think some people have is that due to the type of operation, we can’t have the entire community involved. That’s for several reasons. One is operational security. The bigger the number of people involved, the more likely is that is someone will make a mistake and say something that could jeopardize all of the work that everyone has done. Also, we’re making representations to a federal court that this is an ex-parte motion and very limited people know about it. If you have multiple people knowing, and the entire security community knows, let’s say we submit declarations from 30-40 people. A court may say, ‘Well there’s a lot of people here who know about this, so isn’t this information that’s already publicly available? Don’t these people know you’re looking at them already?’ We’re really asking for an extraordinary remedy: an ex-parte TRO [temporary restraining order] is a very high standard. We have to show an immediate threat and harm, ongoing, so much so that we can’t even give the other side notice that we’re going to sue them and take away their property.
The other concern is more operational. When I was in the Justice Department — I was there for just shy of 18 years — we even compartmentalized operations there. Information was shared on a need-to-know basis, to make sure the operation would be a success and that there wouldn’t be any inadvertent leaks. It wasn’t because we didn’t trust people, but because people sometimes make mistakes. So in this operation, just like the others, we engaged with industry partners, academic partners, and some of those who wished to be open, and others who preferred to do things behind the scenes.
Krebs: How do you respond to the criticism that Microsoft used and published data that came from core members of the security community who had placed certain restrictions on the use of that data — specifically that permission be obtained before it is shared or published?
Boscovich: Whenever we cooperate with the research community and industry partners, the assumption is that the information they provided is either their own, or is freely available amongst them for the purpose of securing the internet. They felt, we believe that all of this information should be used for the purpose for which it was intended: And that is to try to solve the problem and protect people who are being victimized by crime.
Now, there seems to be some allegations that there was information that one or two people provided to the research community –which is very large by the way — which for some reason they didn’t want to be acted upon. I don’t know what that means, but we only ask for information from our industry or academic partners that they believe is their own or is being freely shared in the community. The purpose for which we ask for this information is to reduce threat to consumers and people being victimized by crime. If there are any allegations that somehow Microsoft knew this was privileged information, the answer is absolutely not. We respect the rights of others and the information we received from academic or industry partners…the representation was made to us that it was either their own work product, or it was made available by other researchers and that was freely shared amongst them to be used for this type of purpose.
Krebs: The Fox IT researcher accused Microsoft of disrupting law enforcement investigations into miscreants using ZeuS. Is that true?
Boscovich: Looking at the Fox-IT blog, I’m disappointed by the fact that they talk about ongoing investigations. There’s no way for us to know whether there’s an ongoing criminal investigations from law enforcement. There’s a litany of legal proscriptions and prohibitions in having that kind of information, so I’m not sure how they would know. But obviously we don’t. They omit the fact that in all of these operations, the objective is to notify and clean the victim’s computers. In addition to disrupting, we want to help clean these computers.
Krebs: And what about the criticism that Microsoft’s actions actually took down legitimate sites?
Boscovich: There were some mention that there were legitimate web sites that went down. But you know, the law actually provides a mechanism on that. We put up a cash bond, and we explained to the court that we have a process in place in the event that a legitimate Web site goes down. There were several that were legitimate, but they had been compromised. Our people worked with those sites, and they were not aware they were compromised. And although they were down an hour or two or three, they would probably have never known they were being used by criminal organizations.
Krebs: Some people have been critical of Microsoft’s actions as “vigilante” activity, as participating in the sort of activity that should be left to the authorities. But Microsoft has taken a slightly different approach, attacking this problem through the civil courts. Is there a conflict here, between these two approaches? Isn’t there the possibility that Microsoft’s actions on the civil side could derail progress of law enforcement investigations working the criminal side?
Boscovich: Our strategy, which is a disruptive strategy, came from the idea that there are two ways to tackle this problem; you have the very traditional law enforcement approach, which its ultimate goal has always been that you have to have a well-identified target and arrest that person. We’re not saying necessarily that that’s a bad model. For years and years we fought drug dealers by trying to stop the drugs or stop the distribution. Until we said, why don’t we disrupt them differently by going after their flow of money? And you saw this wave of legislation which came about as anti-money laundering. And we began doing money laundering prosecutions, even though that particular case had absolutely no drugs involved at all, but we were able to show some kind of taint.
Taking that idea, we were able to literally start hitting the criminal enterprises and drug dealers where they really felt it — in their profits. Even though sometimes we didn’t get many arrests, we got seizures, forfeited accounts, forfeited cars, houses. Instead of trying to get the guys behind this, we said why don’t we just strike them where it’s going to hurt them the most? And that is their criminal infrastructure — the botnets — which really allow them to leverage everything they’re doing and make a profit out of it. So we came up with Project Mars and the disruptive strategy.
Krebs: Is it working?
Boscovich: I’d say it is working. Recently, an article came out in the Wall Street Journal that mentioned a huge reduction in spam as a result of botnet takedowns. We’ve taken down Waledac, Rustock and Kelihos. All of them basically spam bots. But that disruptive activity has dented the amount of spam that gets sent out. Even today. And I think that’s a good proof point that the disruptive approach works if you give it time and keep going at it.
What we wanted to do with Zeus was continue with the disruptive approach, but in this case we didn’t target one particular bot. We wanted to make our first assault a much broader assault, and that’s why we went after a particular family of malware, all of them with the same code base, so that we could bring it all together under one legal document, which is under a RICO statute. Kyrus did the malware analysis and found that all these versions bubble back up to the same core code. We wanted to disrupt that business model as much as possible. We knew we were not going to fully eliminate one bot. That was never our intention. And I think we were pretty clear that this was the first salvo to this whole group, to introduce a certain amount of entropy in there, and at that point to try to start increasing the costs of them doing business.
Krebs: It seems like the core dispute here is what should be done with information that is unearthed by security researchers, that the key question is how or who decides when and whether information about certain bad actors should be acted upon. Would you say that’s accurate? And where do you come down on that?
Boscovich: Microsoft is a pretty big company, and a lot of the stuff we do is based on our own research as well. But we really want to see other companies that have appropriate standing do their own actions. We really believe in the disruptive strategies. We believe that all of this information that’s out there…and the community does amazingly good work in tracing this stuff…but there comes a point in time that you have to action on the information. All this information is great, but if you don’t action on it quickly, that data either becomes stale or it moves. We really believe there are people in industry and the academic and security community that want to have an impact and want to work with us.
Krebs: Were you aware that a number of people Microsoft named in its latest John Doe complaints are considered the core group of folks that the Justice Department has pegged as the guys behind the operations that cost businesses tens of millions of dollars over the last few years?
Boscovich: Based on the investigation that we uncovered so far, we feel very confident that the people we named, with the exception of a few guys that were lower-level players…we feel confident we’ve named the right individuals involved. I really can’t give you all the information we have, other than what’s outlined in the pleadings. But I think the claim that somehow a civil action will destroy all these criminal investigations…I think that’s a fallacy, and near-sighted, and it shows I think a certain naiveté based on not being in that world and not understanding how criminal investigations operate.
Krebs: Can you talk about anything you’ve learned since this action, in terms of the actors involved?
Boscovich: There’s more information that’s coming in, and I feel confident that over the next several weeks and months that will translate into additional updates to the case, and we may amend our complaint. We also are happy to inform that as a result of being able to sinkhole the [ZeuS control] IPs, we can get the location of these infected computers, and work with the community to get this information out. We believe we may be able to get this information out as early as sometime next week.
Krebs: The Fox IT folks and others in the industry have characterized this initiative as little more than a clever public relations stunt by Microsoft, designed principally to make the company look like it is protecting customers from bad guys. How do you respond to that?
Boscovich: It’s not a black or white scenario like the Fox-IT people put it. I’ve been doing this for about 17 years 10 months, I know what very complex criminal investigations [are] and what works well and what works not as well. It’s appropriate and beneficial for both criminal and civil parallel proceedings, because they complement each other.
From a company perspective, and this goes to the PR allegations, of course every corporation is a for-profit corporation. We’re not a charitable institution, obviously. But there are some times when it makes good business sense to actually do good in the community as well. It’s one of those intersections where business and being a good corporate citizen actually complements each other. I’m not going to be disingenuous and say we don’t have a benefit in doing this. But I can also tell you with a straight face that we do it also because we want to do the right thing, we want to protect our customers, and we want to protect people going on the Internet.
We’re sort of like the emergency room physicians: When someone comes in and they’re bleeding profusely, you have to stabilize the patient and figure out how to stop the bleeding, so that the next guy who comes — the surgeon — who’s waiting in the operating room, is able to save the life of that person. From a civil perspective, we go in and want to help those victims. We want to stop the bleeding, save as many people as we can and clean their computers.
The question we have to ask ourselves is when you have information about millions of people who are currently victims of crimes because their systems are compromised, do you do the emergency room thing to try to stop the bleeding and try to clean those peoples’ computers so they continue not to be victimized? Or do you do nothing with the information? I think we’ve been fortunate in working with academic and industry partners to share information and address that problem.
In terms of identifying the actual cause, getting to the root, the defendants, all this information, we’re going to pass it on as we have in the past to law enforcement. But I think their investigation will be enriched by a lot of things we can do legally simply because we are a victim and we have access and resources to investigate these things. And then when we pass it along, I believe they’re in a much better position to drill down and use the legal processes that they have — which we do not have — to follow things such as money and financial trails and go overseas to international agreements.
Krebs: With the benefit of hindsight, what — if anything — would you do differently about this operation, if you had to do it all over again?
Boscovich: That’s a good question. I was a little bit taken aback by some of the criticism in light of fact that nobody from fox-it called us to discuss or explain their concerns, or to why some decisions were made legally. We always want to find ways to work with the community and the sharing of information is crucial to that. If you notice, every time we do one of these we have different academic or industry partners that work with us, and we love to rotate those who do work with us. And the ones who want credit, we really try to make sure they get credit where it’s due. We hopefully will try to explain this better, probably at the next DCC [Digital Crimes Consortium, an annual, invite-only Microsoft conference], that we’re on the same team. I think we want the same objectives, so hopefully we can bridge that gap and continue the work we’re doing, to clean these computers, and to disrupt that ecosystem that is being utilized by the criminals.
Krebs: In a nutshell, what would you like to get across or communicate better about this action?
Boscovich: Hopefully, we’ll be able to explain that there are a lot of legal issues involved, and a lot of things we can and cannot do. Some of them many people may not be aware of. Which is understandable: they’re not lawyers. These guys are technical in their field. In the same way I can’t reverse engineer malware, but I’m pretty adept in understanding what are the limitations and potential liability issues when you do these operations. I hopefully can explain that aspect to them, so they have a better understanding and appreciation that when we do things, why we do them the way we do.