June 03, 2013, 3:27 PM — Microsoft has moved its botnet-fighting capabilities to the cloud, a step that will make its response teams both faster and more effective in fighting hijacked PCs.
Microsoft launched its Microsoft Active Response for Security (MARS) program in 2010, relying on a series of daily emails to ISPs and other clients to warn them about the networks of hijacked PCs, known as botnets, operating within their borders.
Now, Microsoft's new effort, dubbed the Cyber Threat Intelligence Program (C-TIP), taps the Microsoft Azure cloud to send updates as frequently as every 30 seconds, providing near-real-time threat intelligence to its clients. All the information is uploaded directly to each organization's private cloud via Azure, Microsoft said.
Botnets are typically formed when hackers exploit vulnerabilities in a number of different computers, either via a Trojan, infected Web site, or a phishing attack. The "zombie" PCs are then networked together and ordered about by a command-and-control server or servers. The botnet can then be used for anything including distributed denial-of-service attacks, distributing malware, to "clickjacking," such as the automated clicking of ads that the "Chameleon" botnet recently exploited to the tune of an estimated $6 million per month.
The automated Microsoft services can be used to quickly inform ISPs which of the PCs on their network may be part of a botnet, so their Internet access can be shut off or monitored.
"While our clean-up efforts to date have been quite successful, this expedited form of information sharing should dramatically increase our ability to clean computers and help us keep up with the fast-paced and ever-changing cybercrime landscape," TJ Campana, director of security, for Microsoft's Digital Crimes Unit, said in a statement. "It also gives us another advantage: Cybercriminals rely on infected computers to exponentially leverage their ability to commit their crimes, but if we're able to take those resources away from them, they'll have to spend time and money trying to find new victims, thereby making these criminal enterprises less lucrative and appealing in the first place."
Microsoft said it will provide its C-TIP services to ISPs and Computer Emergency Response Teams around the globe. So far, two CERTs have signed up: Spain's CERT, known as INTECO; plus a pair of CERTs in Luxembourg, known as CIRCL and govCERT. Microsoft already sends its daily emails to 44 organizations in 38 countries, the company said, and hopes to transition the remainder over to the C-TIP program as soon as possible.