It might be surprising to hear that Microsoft owns the 10 largest botnets in the world, but just as it takes a thief to catch a thief, it may require running a botnet to save organizations from botnets.
At the security conference Sector this week in Toronto, Tim Rains, chief security advisor for Microsoft’s Worldwide Cybersecurity and Data Protection team, said Microsoft has taken control of botnets as part of its security strategy, which it is using to secure organizations using its Azure cloud services.
“We’ve taken down many botnets around the world, and what happens when you take down a botnet is a pretty interesting story,” he said. “We have to innovate around the law in order to get this done.”
The botnets were attacking customers. Among other things, they were trying to get targets to buy counterfeit Microsoft software.
“We had to go to court and say, ‘Hey, this is a trademark infringement. They’re actually selling counterfeit software, and they’re infringing on our trademark,’” Rains said.
What happens is that Microsoft asks for a temporary restraining and control over the command and control server domains in order to prevent them from sending billions of pieces of spam. The judge will provide this, but gives the accused the option of going into an open court and asking for their botnet back. “It turns out that they never came into court to ask for their botnet back,” Rains added.
Microsoft has done this several times over the years, Rains said. “Now we own the 10 largest botnets in the world.” This means that Microsoft owns the control servers for infected systems totaling 60 to 70 million, and including high-profile botnets such as Zeus and Rustock.
Rather than use the botnets to host malware, flood websites with DDoS attacks, or send millions of spam messages, Microsoft tracks these botnets to find out what systems are infected.
They’re reporting back to us as their command and control – they’re reporting back to us and asking for us to send us commands, and that’s why we know what their IP addresses are.”
Their list of IPs leads to infected systems, which is extremely interesting to governments and enterprises that want to know if their organizations are exposed to those botnets.
But it’s not as simple as handing over that list of IPs because it’s a privacy issue, so Microsoft is putting those IP addresses on the cloud so that organizations can, for instance, check if their Azure services are connecting to infected IPs. “If you’re an Azure customer, now you can go into your Azure Active Directory reports, and if there are systems authenticating to your Azure-based applications that are part of these botnets, they will show up in your Azure Active Directory reports,” Rains said.
ISPs can also use the list of infected IP addresses to tell their customers they’re infected with botnets. While ISPs in North America take a more laissez-faire approach to network monitoring, he mentioned that ISPs in Finland quarantine infected customers, forcing them to deal with their vulnerabilities through installing the malicious software removal tools that make the ecosystem cleaner.
Rains said Microsoft maintains control of the botnets because chances are that a system compromised by one botnet will be easily infected with other malware if it isn’t disinfected and patched.
“If they’re not fixing the underlying issue,” he said, “they’ll get re-infected very quickly. We can disinfect them, and we do, but if they don’t take care of the underlying issue of how they’re getting exploited to begin with, they end up back inside that botnet.”
Very often, system exploits are used to steal login credentials, and once these usernames and passwords are stolen, they’re easily sold on the black market.
It’s unsurprising, then, that Microsoft is also collecting lists of compromised credentials. “We’ve been buying and collecting these lists of leaked and stolen credentials,” Rains said.
Last year, a criminal organization was taken down that had more than 1 billion usernames and passwords in a single file.
“We’re taking those lists of credentials and putting them into the cloud. If you go to Azure Active Directory reports, if people in your organization’s credentials are showing up on those lists, you’ll see them in your reports.”
For accounts where login information matches stolen credentials, administrators can enforce multi-factor authentication so that only authorized devices can access services. Users whose login information is compromised can also be prompted to change their password.
To stay ahead of cybercriminals, Microsoft has been playing an active role running botnets itself and getting stolen credentials from cybercriminals – without further exposing infected IP addresses and login credentials. Microsoft’s databases would obviously be an extremely lucrative target for cybercriminals, but, with no breaches of these databases evident, these databases have been helping a lot of organizations and governments protect their systems and users.
Also, it’s not enough for administrators to know their systems are infected – they need to use this information to take action by disinfecting and patching their systems, because the ultimate goal is to make sure their systems and credentials never make it into these databases.