These teams are made up of 10 to 20 individuals. "They're small enough to be nimble but they can draw on the large resources of Microsoft," he says. Keeping them small also reduces the chance of leaks. Also, the teams are told that they are running the show, giving them ownership of the project, Campana says.
DCU was set up in 2003 as a joint legal and technical group based at Microsoft headquarters in Redmond, Wash., with some members based in Europe and some in Asia. In 2009 it became part of Microsoft Active Response for Security (MARS) a collaboration of DCU, Microsoft Malware Protection Center and Microsoft Trustworthy Computing specifically to combat botnets. The new group created a top threats list and started planning legal and technical approaches to address the targets.
By February 2010, it took down Waledac botnet with the goal of dismantling its command and control servers. Traditional courts and actions by the Internet governing body Internet Corporation for Assigned Names and Numbers (ICANN) let criminals know ahead of time that they had been found out. "It took too long, and it let the domain owner who was dirty know," says Boscovich.
So Microsoft put in a bid for an ex parte hearing, meaning a judge listened to just one party without the other being present and to approve legal action against the other party without notifying them. It's an extraordinary remedy, but the judge deemed it an extraordinary circumstance, he says. The other party does get to present its side but at a later date. In the case of Waledac, the tactic gave Microsoft time to seize 277 domain names and shut them down.
Next they went after Rustock, a botnet specializing in sending spam to lure victims into buying counterfeit pharmaceuticals using trademarks of Pfizer and Microsoft in the process. The case explored new legal ground by applying the Lanham Act -- a law that is typically used to seize counterfeits such as knockoff handbags and watches before the counterfeiters can move them -- to cybercrime. Microsoft, along with Pfizer, University of Washington and FireEye, won an order to seize the Rustock command and control servers from ISPs in seven U.S. cities.
From those servers Microsoft learned about domains Rustock might use as rendez-vous points for the botnet after its C&C servers were taken down. The company bought up those domains.
In the case of the Kelihos spambot, subdomains of a particular domain were used for malicious purposes, but because of the way domain registration goes, it's difficult to find out to whom subdomains are registered and the domain owner may not know who controls the subdomain, he says.