When it comes to fighting cyber crime, few companies can claim to have done as much as Redmond, Washington-based Microsoft. Indeed, the company spent the last five years as the Internet's Dirty Harry: using its size, muscle and wealth to single handedly take down botnets and cyber crime groups, from Citadel, to Zeus to the recent seizure of servers belonging to the (shady) managed DNS provider NO-IP.
The company's aggressive posture towards cyber crime outfits and the companies that enable them has earned it praise, but also criticism. That was the case last week after legitimate customers of NO-IP alleged that Microsoft's unilateral action had disrupted their business. There's evidence that those criticisms are hitting home – and that Microsoft may be growing weary of its role as judge, jury and executioner of online scams. A Microsoft executive told a gathering of cyber security experts and investigators that it has doubts about the effectiveness of its takedown efforts, and is ready to use its clout to help other companies stomp out malicious software like botnets and Trojan horse programs. Microsoft is ready to offer resources to researchers, industry groups and even other security firms that are looking to eradicate online threats. That includes everything from teams of malware researchers and PR professionals to software and cloud-based resources like the company's Malicious Software Removal Tool and Windows update.
Speaking in Boston at the 26th annual FIRST Conference, Holly Stewart, a Senior Program Manager at Microsoft gave a sober assessment of the software industry's fight against cyber criminal groups and other malicious actors. Despite some high profile take-down actions against botnets and prominent families of malicious software like Citadel, Zeus and SpyEye, the company sees the gains of such efforts as short lived. Take downs- often carried out in coordination with international law enforcement -ften had more value as public relations than anything else, Stewart said. "We haven't been able to scale enough to tip the malware problem," Stewart told the audience. Botnet takedowns like those against Citadel and SpyEye, for example, generate big headlines when they occur. But the long-term impact is often less sensational: malware infections linger for months or years after. Even today, the most prominent malware families often defy removal – continuing to thrive months or even years after detection and removal signatures for anti-malware are distributed. Just this month, the firm Akamai issued a warning to Fortune 500 firms about the dangers posed by the Zeus family of malware. That, despite a major, international law enforcement crackdown on one Zeus variant, dubbed "Gameover." "There's no great guidebook for taking out malware families," she said. "There's no information that the majority of us can leverage. If people do have the expertise, unless you know them personally, its difficult to tap that expertise so that you know what's to be done." Law enforcement; security firms and industry groups are often unprepared for the appearance of a new malware family in the wake of one that has been the target of a takedown, Stewart said. To improve that state of affairs, Microsoft in January announced its Coordinated Malware Eradication (CME) initiative to promote stakeholders like ISPs, financial institutions, software firms and payment networks to work more closely together. Then, on Monday, Microsoft announced, "Interflow," which is described as a "security automation platform for the exchange of security and threat information." The platform is intended to standardize and automate what are mostly ad-hoc communications and coordination around cyber incident response. "Today, in the industry, security and threat information is primarily shared via email, Comma Separated Values (CSV) files, and web portals," Microsoft said in a FAQ describing Interflow. In place of that, Interflow will standardize communications about malware and other cyber incidents in a machine-readable format and provide tools for the rapid, automated processing of threat information. Interflow, a hosted application that runs on Microsoft's Azure public cloud, enables automated machine-to-machine exchange of security and threat information based on industry standard formats like STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards). The idea is for incident responders to use Interflow as a kind of online clearinghouse for information they need to coordinate their activities and intelligence. The platform will be able to integrate with other operational and analytical tools through a plug-in architecture. Microsoft's software runs on more than 90 percent of the world's computers, giving it perhaps the best view of malicious software activity worldwide. According to Stewart, the company receives 250 million incident reports and collects 950,000 malware samples each day. The Redmond, Washington company wants to make those samples available to partners in its CME program that are contemplating a takedown campaign against a piece of malicious software. But Stewart told attendees at FIRST that the company was prepared to do even more: making its malicious software experts available to organizations looking to take action against malware families and making data from its realtime protection software available to them to track infections. Even more significant: Microsoft said it is prepared to offer its security infrastructure as tools in actions against malware families as part of CME – including the company's auto-update mechanism and security tools. "Use MSRC as a big hammer to stomp out a malware family," Stewart implored the audience, referring to the Microsoft Security Response Center. "Go ahead and nominate a malware family to include in MSRT," she said, referring to the Malicious Software Removal Tool. Partners who join Microsoft's CME program might also leverage the company's automatic update program, she suggested. She cited Microsoft's use of an update to disable the Autorun feature on Windows XP and Windows Vista in 2011 to stomp out Autorun infections as an example of the successful use of software updates to eradicate malicious software. And, for small security firms that want to attract some positive media attention for their role in a malicious software eradication effort, Microsoft will even offer its PR machine to help get the word out. Experts involved in malware research are cautiously optimistic about Microsoft's announcement. "If you look at the takedowns Microsoft has been doing over the past several years, CME and Interflow are a natural evolution of what they've been doing," said Jose Nazario, Chief Scientist at Invincea Labs said. "They're adding the structure and capabilities and the means to bring in more people." Nazario said that cyber criminals and other malicious groups have become much more adept at responding to coordinated takedown efforts in recent years. "A few years ago, when these takedowns started, we thought we could force them to spend the time and effort and money to respond," he said. "But they've become so adept at responding, you see these (malicious networks) come back very rapidly." Microsoft is in a unique position to help not only because of its size, but also because the company is not mainly a security software firm and because their dominance of the operating system market gives them global visibility into threats, Nazario said. Mario Vuksan, CEO of the firm ReversingLabs said that Interflow was an important step forward that could boost the coordination of security operations between private- and public sector entities. "It shows that (incident response) is maturing to another level," Vuksan said. The platform will also make emerging standards like STIX and TAXII more relevant by providing a ready platform for sharing information that uses those standards. However, both Nazario and Vuksan saw potential hurdles to the adoption of platforms like Interflow. First and foremost: security firms that make money selling data on new and emerging cyber threats may be reluctant to share that data with Microsoft and other Interflow users. And threat intelligence firms may see Interflow as a direct competitor with their own technology. "They've invested time and effort developing their platform. They're worried that Interflow will be a direct competitor with them and they may not want to play," Nazario said.