Collaboration Aids in Botnet TakedownMicrosoft, Law Enforcement, Others Target ZeroAccess
The partial takedown of ZeroAccess, one of the world's largest botnets, is an example of the role that collaboration between business and law enforcement can play in battling cybercrime.
Microsoft's Digital Crimes Unit, collaborating with the FBI, Europol's European Cybercrime Centre and other technology companies, shuttered 18 European information providers and blocked traffic from American Internet service providers to those illicit European sites. Microsoft also filed a lawsuit in a Texas federal court on Dec. 5 against "John Does" seeking a permanent injunction and unspecified damages.
ZeroAccess, also known as Sirefef, targets major search engines and browsers, including Google, Bing and Yahoo. The botnet hijacks search results and directs users to illicit websites that resemble legitimate ones, where cybercriminals surreptitiously install malware on computers, steal personal information or fraudulently charge businesses for online advertisement clicks.
Microsoft and its partners do not expect to eliminate the ZeroAccess botnet because of its sophistication, says Richard Boscovich, assistant general counsel of the Microsoft Digital Crimes Unit. But, he says in an interview posted on YouTube, "The fraud portion of it has stopped."
Boscovich explains further in a blog: "We do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure."
2 Million Computers Infected
Microsoft estimates the ZeroAccess botnet has infected nearly 2 million computers worldwide, mostly in the United States and Western Europe. The botnet, it says, costs online advertisers $2.7 million each month in lost revenues. Boscovich estimates all click fraud, not just ZeroAccess, costs online advertisers between 25 percent and 40 percent of their potential annual revenue, amounting to billions of dollars.
Greg Garcia, a former U.S. Department of Homeland Security assistant secretary for cybersecurity and communications, says Microsoft and other companies working with law enforcement have used a variety of laws enacted before the birth of the Internet to go after cybercriminals. Those laws include the 66-year-old Lanham Act, which prohibits trademark infringement and false advertising, and the 47-year-old, antiracketeering RICO Act.
Garcia compares Microsoft's strategy to homeowners who successfully protect their properties by hanging "beware of dog" signs. "Microsoft not only has the sign, but it actually has a dog with big teeth behind that threat," he says.
ZeroAccess is the first botnet action taken by Microsoft since the company unveiled its new Microsoft Cybercrime Center on Nov. 14. The move against ZeroAccess marks Microsoft's eighth botnet action in the past three years (see Microsoft, FBI Take Down Citadel Botnets and Botnet Takedown: Collaboration in Action).
Garcia says enterprise chief information security officers can learn important lessons from Microsoft's cooperation with law enforcement.
By working with law enforcement officials, he says, CISOs "will gain credibility in the C-suite and gain more resources because they could demonstratively show reduction of crime in their network and cost savings for the bottom line.
"You need to partner with fellow stakeholders [to develop] collective intelligence. To fight back to protect their infrastructures, CISOs need to be thinking that way. They can't sweep this under the carpet and go it alone. There's strength in numbers."