by Jonathan Camhi, October 6, 2014
Microsoft is working to turn the tables on cybercriminals by seizing the infrastructure behind malware operations.
The cyberthreat landscape is growing more dangerous for banks, as last week’s news about the JPMorgan Chase breach this past summer demonstrated. It’s reasonable to expect investment in cyber security defenses to grow at many institutions to counter the increasing number of attacks. However, Microsoft is taking a different approach: It’s taking down malware threats in conjunction with law enforcement. And Microsoft is now working with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to share information about malware attacks and infected IP addresses with the banking industry.
Microsoft’s Digital Crimes Unit has developed a legal process to take over the infrastructure behind malware attacks. It has already used that process to help take down the command and control of several high-profile threats, including the Shylock banking Trojan and the Citadel botnets, according to Richard Boscovich, assistant general counsel for Microsoft and senior attorney for the unit.
“We wanted to identify threats to our customers and systems and be proactive in defense, not just be reactive,” Boscovich says.
He and his team use old English common laws that allow them to seize servers and infrastructure supporting specific malware operations. “These laws go back to farmers being able to reclaim their stolen cows.”
Once it can get a seizure warrant, the Digital Crimes Unit can trace all the infected IP addresses associated with an attack. So far it has identified 67 million unique IP addresses infected by more than 200 distinct types of malware. All that threat information is stored in a database that Microsoft has built to share threat information for free with law enforcement and government organizations. “We want to eventually empty that database,” Boscovich says.
Microsoft is now working with FS-ISAC to push the information from that database out to banks. “We’re providing all of that information to FS-ISAC so they can share it with their member banks. Those banks can query our database in quasi-real-time and see if any transaction is originating from an infected IP address. By sharing this information, we think we can help further protect this ecosystem.”
After it takes over the infrastructure behind a botnet or malware operation, Microsoft can coordinate with law enforcement agencies to trace an attack back to the criminals involved. Among its successes so far, the Digital Crimes Unit helped Interpol and the FBI take down the Shylock banking Trojan this year, and it helped take down the Rustock botnet in 2011. “Since we took down the Rustock botnet, the price of spam has never gone back up” to where it was, Boscovich says.
Additionally, Microsoft can let users of infected IP addresses know that they’ve been infected. “Nine out of 10 times, they have no idea” that they’re infected. “It’s a win-win for us because our bank customers’ customers are usually also our customers.”