Botnet takedown makes Microsoft sound like Internet's new sheriff

Grandiosity, self congratulation don't bode well for future 'operations'

Microsoft yesterday claimed credit for taking down its second big botnet, as part of its sometime-role as volunteer anti-spam, anti-malware enforcer.

Microsoft's Digital Crimes Unit (DCU) announced that U.S. Marshals had raided hosting providers in seven U.S. cities following a Microsoft DCU operation code-named " Operation b107."

The raids were based on information supplied to the U.S. Marshals Service by Microsoft and were approved by the Seattle federal-court in which Microsoft is suing the unnamed operators of the Rustock botnet.

Microsoft's description of the operation estimated the Rustock malware had infected as many as a million computers, and that Rustock-infected machines helped send out as many as 30 billion pieces of spam per day, apparently specializing in fake lottery and pharmaceutical offers.

Estimating the size of botnets is notoriously difficult, however, and there's no telling how many in that million-PC army were infected with the particular strain of Rustock being used by operators of this botnet, or how many were actually under the operators' current control.

"With help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it," said Richard Boscovich, senior attorney at Microsoft's Digital Crimes Unit in a blog post on Microsoft's site.

Microsoft's last big success – announced in a blog with the self-congratulatory headline "R.I.P. Waledac: Undoing the damage of a botnet" – was in September, 2010, following an operation code-named Operation b49 that took down a much smaller botnet controlled by the Waledac malware.

Among , and eventually transferred ownership of 276 Internet domains used by Waledac operators to Microsoft for safekeeping.

The two botnet counterstrikes were part of Project MARS (Microsoft Active Response for Security) – "w hich is a joint effort between Microsoft’s Digital Crimes Unit , the Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to annihilate botnets and help make the Internet safer for everyone. "

Among the bulleted apple-pie goals on the DCU's home page are to:

  • Protect children from technology-facilitated crimes
  • Champion a healthy Internet marketplace for advertisers and businesses

It's hard to object to anyone taking down a botnet, especially if it's done with some respect for laws and legal procedures, as these appear to have done.

The self-inflating comic-book rhetoric of the blogs and announcements makes me suspicious, though.

The description above makes it sounds as if participants in Project Mars are major law enforcement agencies forming a first-ever alliance to attack a new form of crime.

In fact, they're just different departments at Microsoft, all of whom probably work on the same campus in Redmond and can be assigned, reassigned or defunded on the whim of their managers and state of Microsoft's financial statement, not the level of crime or will-of-the-people excuse real law-enforcement types use to explain their decisions.

Microsoft's corporate instincts owe little to the rights of end users, however. Its suggestion that PCs infected with malware be kicked off the Internet like lepers exiled to some island colony wasn't the most humanitarian response to the problem, for example.

Its historically adversarial, almost antagonistic approach to piracy that assumes customers are offenders unless proven otherwise raises another red flag that it might not be as sensitive or responsive to the rights of customers as it is to nailing what it perceives as a perpetrator.

That, combined with what sounds like a kind of grandiose approach to anti-malware operations that is much more Red Rascal than Bruce Schneier.

Again, it's hard to object to anything that effectively combats malware and botnets without stepping on the rights of end users.

I just look at officious enthusiasm like Microsoft's with more caution than optimism.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies