To bring the different sides together, the security industry needed a big player to step up to the plate. Microsoft did just that. It took on the role of chief botnet slayer.
Microsoft hasn't always been the friendliest giant - just look at its various ongoing squabbles with Google - but the Redmond firm has been the linchpin in many significant battles against botnets. It was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. All have formed part of Project Microsoft Active Response for Security (MARS), which has one core aim: "To annihilate botnets and help make the internet a safer place."
"Microsoft has really stepped up in a lot of different ways to try to bring together multiple groups that might not have known each other," Lanstein added. "They've really put a lot of money in going after botnets and it has worked."
The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections. In the case of Kelihos, Kaspersky loaned Microsoft its live botnet tracking system. The Russian company also led the operation to reverse-engineer the bot malware, crack the communication protocol and develop tools to take apart the botnet's the peer-to-peer infrastructure. It was another truly communal effort.
Microsoft should be proud of its work here. No other tech vendor has initiated such a concerted campaign against botnets. That's not to say others haven't played a big part, however. There have been some significant successes that haven't involved Microsoft. The software behemoth was not part of two of the most significant botnet shutdowns in history - Mariposa and DNS Changer. Both of those led to complete disarmament of the bot masters and arrests of suspects.
Microsoft has shown what is possible when everyone cooperates - others have subsequently proven that point: the simple act of sharing is key in identifying botnets and successfully destroying them.
The long arm of the law
Collaboration might be vital, but the nail in the coffin of any botnet is only hammered in if arrests and prosecutions follow. In the past year, a plethora of suspects have been apprehended, but why now? Largely because tech companies and law enforcement have worked out how to twist judges' arms into opening up legal pathways to take botnet infrastructure down before warning its owners.
Just a few years back, efforts to end botnets were not only hampered by an industry as fractious as the Greek Government - the legal system was doing the good guys no favours either. Instead of immediately asking registrars to shut down domains or ordering datacentre owners to allow police to switch off servers helping run botnets, courts required bot-herders be sent warning first.
Now, cyber criminals aren't so lucky. The cases of Waledac and Rustock have set legal precedents that will be of huge benefit to the good guys in the long run. In the case of the former, Microsoft convinced a judge to issue an ex parte temporary restraining order (TRO), which meant Verisign, the administrator of the .com domain registry, had to hand the 276 domains used by Waledac for its command-and-control operations over to the Redmond company. Microsoft achieved this simply by pointing to the continuing harm that would be caused by the botnet if immediate action was not taken.
With Rustock, Microsoft filed a lawsuit against the anonymous operators of the botnet, basing its argument in part on the abuse of Microsoft trademarks in the bot's spam. These clever legal manoeuvres are necessary to open the door to complete botnet destuction.
-
RSAC Conference day two: A focus on what attackers are doingFrom quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
Lenovo ThinkPad X9 14 Aura Edition reviewReviews This thin and light ultraportable will draw you in with its vibrant screen – but it isn't as powerful as some of its competitors
-
Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up stingNews Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year.
-
Horabot campaign targeted businesses for more than two years before finally being discoveredNews The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular
-
Brand-new Emotet campaign socially engineers its way from detectionNews This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros
-
Microsoft says “it’s just too difficult” to effectively disrupt ransomwareNews The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy
-
Beating the bad bots: Six ways to identify and block spam trafficIn-depth Not all traffic is good. Learn how to prevent bad bots from overrunning your website
-
Ukraine's vigilante IT army now has a DDoS bot to automate attacks against RussiaNews The 270,000-strong IT Army of Ukraine will now combine supporters' cloud infrastructure to strengthen the daily attacks against their invaders
-
Microsoft's secure VBA macro rules already being bypassed by hackersNews Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware
-
Emotet infrastructure has almost doubled since resurgence was confirmed
News Researchers confirm the infrastructure has also been upgraded for a "better secured", more resilient operation
