Microsoft’s Maverick Mission Against Malware

Since the beginning, Windows has been considered by some security experts to be one of the most insecure operating systems, whether they argue that its proprietary code, networking systems, or even its font rendering are the cause.

In fact, besides the cult-like appeal of the brand, one of the reasons Apple aficionados give for their loyalty is Windows’ vulnerability and lack of security. It’s generally accepted as true that Windows is the most malware-ridden OS, but the reasons why might surprise you.

Windows is still by far the most popular operating system, with various versions used on about 90% of desktop computers. It makes sense, then, that if you’re writing malware and your goal is to infect as many computers as possible, you’d write it for Windows.

Another factor may be the users who are being targeted. Security often depends not just on the software you’re using, but how you’re using it. Mac users tend to describe themselves as computer-savvy and “early adopters,” while Windows users tend to have a reputation for the opposite.

Thankfully, Microsoft has taken concerns over its security seriously, and now includes features like an automatically enabled firewall, limited user accounts, and the infamous security center that continuously nags you to install an antivirus program and to make sure you really want to run that program you just clicked on.

But has Windows gone too far in their fight for cyber security? Some think so.

One example is Microsoft’s Digital Crimes Unit, a department tasked with stopping cyber crime and cyber threats including not only malware, but also botnets, IP crimes, and even child exploitation. It sounds good on paper, but critics worry that they’ve been given too much power: they’ve been granted the ability to seize servers and domains autonomously.

Does Microsoft abuse the power they’ve been granted? Does the good they do outweigh the bad?

Check out the details below, and decide for yourself.

Microsoft’s Maverick Mission against Malware

Microsoft is one of the largest software companies in the world, and with around a billion people using their products each day, they have a lot of customers. To protect those customers online, Microsoft uses novel legal tactics to shut down malicious agents and those who host them. Their tactics, though effective, are not without critics.

The Strategy

• Richard Boscovich is the assistant general counsel for Microsoft’s Digital Crimes Unit (DCU)
• • 17 years as an Assistant Attorney General in Florida
  • During this time he became aware of a case in which a maker of handbags sued counterfeiters of those bags under the 1946 Lanham Trademark Act
  • The court ruled that the handbag company could seize the counterfeit handbags – thus allowing a company to seize private assets – an act generally reserved to law enforcement.
• Microsoft has pursued a similar strategy to seize the servers and take control of domains used by scammers (with or without the owners’ permission)
• • Microsoft argues for an ex parte restraining order against scam websites by claiming there is a present danger to the public and showing that Microsoft systems or software are involved
  • • “Ex parte” means that only one party is initially involved
• These legal maneuvers have allowed Microsoft to seize domains and servers without the court first hearing both sides of a case.

Microsoft Cleans Up

No-IP, njRAT, and njw0rm

• No-IP is a website that provides dynamic DNS service (IP addresses that keep changing) to its customers
• • People use this type of IP address if they’re security-conscious, or want to log into the server from a remote location
  • Botnet creators also use dynamic DNS so that infected computers will always be able to reach the servers controlling them
• In 2014, Microsoft targeted no-ip.org’s domains because, as Richard Boscovich said, “The amount of malware that was reaching out to domains in No-ip.org was astronomically large”
• Specifically, Microsoft was trying to disable two malware families:
• • njRAT
  • njw0rm
  • • The malicious programs were estimated to have infected 7.4 million Windows computers around the world
• In June 2014, Microsoft shut down almost two dozen of no-ip.org’s most popular domains
• • In court documents, Microsoft explained that they were after 18,400 hostnames used by the malware
  • The company also stated that they intended to route all good traffic as normal – only the malicious subdomains would be blocked completely
• Microsoft was unable to keep their promise, and 4 million hostnames went offline
• • No-ip.org, after having gone through the list of malicious subdomains Microsoft was trying to shut down, claimed that only 2,000 of them were still active when Microsoft seized their domains
  • • The other subdomains had already been blocked by their internal systems
• No-ip.org regained control of their domains six days after Microsoft gained control of them, and managed to get all of their customers online again two days after that
• Microsoft was successful in shutting down the malware families, among other cybercrime groups propagating them
• • The shutdown affected at least 25% of advanced-persistent-threats (APT) under watch by the SecureList blog.
  • Microsoft apologized to No-IP for the inconvenience caused to their customers

3322.org and Nitol

• org, like No-IP, is a dynamic DNS provider
• • Unlike No-IP, 3322.org is owned by a Chinese company
• Microsoft investigators learned that Chinese computer stores were selling PCs that came pre-loaded with counterfeit Windows software and Nitol malware
• • Computers infected with this malware received their orders from subdomains located at 3322.org
  • Other 3322.org domains contained 500 different strains of malware
  • • Google’s Safe Browsing system warned that malicious software found on 3322.org subdomains included “1,609 exploits, 481 trojans, and 6 scripting exploits”
• In September 2012, Microsoft launched Operation b70 and filed suit with the US District Court in the Eastern District of Virginia
• • Microsoft requested an ex parte temporary restraining order against the owner of 3322.org, Peng Yong, and any anonymous agents involved in the creation of malware in its subdomains
  • • While the company that owns 3322.org is Chinese, the company that runs it is based in Virginia
  • The court granted the order, and Microsoft took control of almost 70,000 subdomains belonging to 3322.org
• In examining the malware on the malicious subdomains, Microsoft found damaging programs that could:
• • Turn on infected computers’ microphones and webcams
  • Record keystrokes to steal personal data like usernames and passwords
  • Carry out Distributed Denial of Service (DDOS) attacks on other computers
  • Create access points hidden from the user, leaving the computer open to being infected by other forms of malware
• The 70,000 subdomains blocked by Microsoft consisted of less than 3% of the 2.75 million subdomains hosted by 3322.org

Rustock

• In 2010, the Rustock botnet was the largest source of email spam
• • Symantec estimated that it was responsible for a majority of spam on the web at the time
  • As a whole, the botnet was capable of sending out billions of spam emails each day. These emails included:
  • • Ads for fake prescription drugs
    • Microsoft lottery scams
  • One Rustock-infested computer sent 7,500 spam emails in 45 minutes.
  • • 240,000 spam emails per day
• In 2011, Microsoft’s DCU, Microsoft Malware Protection Center and Trustworthy Computing teamed up and launched Operation b107 with the goal of taking down the Rustock botnet
• • At the time, Microsoft estimated nearly a million computers were infected with Rustock
• Microsoft filed a lawsuit against the anonymous makers of the botnet with the US District Court for the Western District of Washington. They did so:
• • For trademark violations of Microsoft products
  • For the potential danger the spam emails posed to the public
• The Court granted them the authority to seize the domains causing the damage
• Partnering with the US Marshals Service, Microsoft seized servers involved in the botnet from five hosting providers in seven US cities:
• • Kansas City
  • Scranton
  • Denver
  • Dallas
  • Chicago
  • Seattle
  • Columbus
• Microsoft successfully disabled the botnet by stopping communication between the Rustock-infected computers and the IP addresses controlling them

Does the Good Outweigh the Bad?

Microsoft argues that it has a business incentive to go after websites and service providers that host malware

• When Microsoft or Windows users download malware thinking that the programs are legitimate Microsoft products, the brand suffers

Critics of Microsoft’s malware takedown tactics are concerned about the legal precedent of their maneuver, as well as its heavy-handedness.

• Eric Goldman, a law professor at Santa Clara University, points out that the ex parte nature of the temporary restraining orders prevents a judge from hearing both sides of the issue, something the US judicial system is expressly designed to do
• Nate Cardozo, writing for EFF.com, says that a legal action committed by Microsoft against No-IP was:
• • Designed to stop 18,000 bad actors
  • Ended up disabling millions of sites
  • • More than 99% of the affected websites were innocent, according to Cardozo
• Paul Vixie, one of the creators of DNS and CEO of Farsight Security, spoke at a Senate Judiciary Committee hearing on the topic of botnets two weeks after the No-IP takedown
• • He criticized Microsoft for taking legal action against No-IP without alerting them beforehand, saying that, “when a single company… or a nation goes it alone in a takedown action, the result has usually been catastrophe…”

By taking down the domains that support botnets, Microsoft’s message is clear: service providers are accountable for what happens on their infrastructure, at least in Microsoft’s eyes. This heavy-handed approach is effective at disabling botnets, but has also ensnared a lot of legitimate businesses as collateral damage.

Sources

• Digital Detectives – news.microsoft.com
• Richard Boscovich – rsaconference.com
• How Microsoft Appointed Itself Sheriff of the Internet – wired.com
• The Wild Wild Web: Top U.S. Cyber-Cop Says We’re Losing the War Against Computer Criminals – venturebeat.com
• No-IP’s Formal Statement on Microsoft Takedown – noip.com
• Microsoft Darkens 4MM Sites in Malware Fight – krebsonsecurity.com
• Microsoft Knocks Out 4 Million Websites in Malware Hunt – tomsguide.com
• Microsoft Takes on Global Cybercrime Epidemic in Tenth Malware Disruption – blogs.microsoft.com
• Microsoft Seizes 22 NO-IP Domains, Disrupts Cybercriminal and Nation State APT Malware Operations – securelist.com
• Malware Dragnet Snags Millions of Infected PCs – krebsonsecurity.com
• What Were They Thinking? Microsoft Seizes, Returns Majority of No-IP.com’s Business – eff.org
• Nitol and 3322.org Takedown by Microsoft – damballa.com
• Microsoft Seizes Chinese Dot-Org to Kill Nitol Bot Army – theregister.co.uk
• Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain – blogs.microsoft.com
• Dynamic DNS – support.easydns.com
• Dynamic DNS – support.easydns.com
• Operation b107 – Rustock Botnet Takedown – blogs.technet.com
• Taking Down Botnets: Microsoft and the Rustock Botnet – blogs.microsoft.com
• Spam Network Shut Down – online.wsj.com
• The Cost of Downtime – blogs.gartner.com
• Microsoft Neutralizes Kelihos Botnet, Names Defendant in Case – blogs.microsoft.com