Did you notice that you got fewer spam e-mails today? All in all there were about 3.8 Billion fewer spam mails sent out. Why? Because there is one less Botnet in operation. Today Microsoft annaounced that we have taken down the Kelihos botnet in an action codenamed “Operation b79”. This is the third botnet takedown in Microsoft’s Project MARS (Microsoft Active Response for Security), a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center (MMPC) and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. Why does it matter? Because it is one step further in making cybercrime more expensive and it is the first time Microsoft has named a defendant in its fight against botnets making suddenly cybercrime much less anonymous.
Microsoft has a very interesting unit in the fight against Cybercrime – the Digital Crimes Unit. I had the opportunity to spend last week at their premise in Redmond, to have interesting discussions and get our efforts in regard to child abuse and digital crimes aligned. With our ever increased dependance on our computers, smartphones and networks at home, on the road and at work, it becomes more and more crucial to keep this infrastructure safe, secure and private. To achieve this we are working in close cooperation with local law enforcement agencies, government CERTs, Internet Providers and other organizations and agencies. From a personal perspective it is highly interesting to have the opportunity to work at national level as a facilitator and sponsor between these Swiss entities and the different units of Microsoft Redmond and to be able to participate in the fight against child abuse and cybercrime.
The fight against botnets will continue. There are still tens of thousands of computers infected that regularely try to connect to the three botnets Microsoft took down. The following video gives an impression of the state of two botnets as of 21. September 2011.
What now needs to be done is to clean up the infected computers. To aid in this I started working together with Government, Internet Service Providers and Community Emergency Response Teams so that we can also take advantage in Switzerland of the work that is done in Redmond. More on that in a later post once the initiative has advanced and all partners are on board. In the meantime – please keep your computers safe and private. With that you are participate in the global fight against cybercrime and you keep your privacy protected. You can find information on “how-to” in this earlier blogpost.
Interested to know more about the botnet takedown? Read here the official Microsoft Blog.
SWITCH, the internet registrar for the .ch and the .li domain and also a service provider for Swiss universities and a CERT, has been blocking Swiss websites if they are spreading malicious software and infecting computers of the internet users accessing them. They released today a statistic, that they have been cleaning more than 700 websites since the end of November 2010. This comes to an average of about 150 websites per month although, as they started the process slowly, the average might not be representing the actual work completely.
I am happy to hear about this success of SWITCH making internet users safer by disabling malware disseminating sites. If one takes the relative small numbers of .ch and .li domains and looks at how many domains exist worldwide the amount of infected sites is hard to grasp. The process itself is pretty straightforward. Once an infected site is known the holder of the manipulated website is contacted. SWITCH describes the process as follow “After receiving notification, holders and operators have one working day to clean up the website. If this deadline elapses without a cleanup, SWITCH temporarily blocks the domain in question to protect visitors to the website and informs the Reporting and Analysis Centre for Information Assurance – MELANI. As soon as the problem has been solved, SWITCH reactivates the domain. Combating malware in this way is proving to be effective: in 680 cases, the holders and operators reacted and cleaned up the website within one working day. On 55 occasions, a website was blocked before being cleaned. In 68 cases, it proved impossible to find a definitive solution, because the blocking period permitted by law had expired.”
While the process is clearly not perfect it is definitely a first step and it could be a model for other registrars to adapt. It needs a legal basis and a close cooperation with the government. Maybe this goes in the direction of the need of an internet governance I described earlier? Whatever could be improved – for today it is “congratulations SWITCH”!
Microsoft has today taken down a large and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control. It had the capability of sending billions of spam mails every day and was responsible for a significant amount of the total spam that was sent on every given day and that clogs up our inboxes.
While the news was reported widely and our inboxes are cleaner (for now) I was thinking about the effort involved. Microsoft and US federal law enforcement agents seized computer equipment based based upon a civil lawsuit filed in federal court in Seattle. While it obviously worked it strikes me as very inefficient and probably restricted to computer that are on US soil. As botnets are an upcoming trend, and looking at how cheap it is to rent one for a day, I expect that more botnets will be brought to live again and that their command and control infrastructure is not on US ground and therefore safer. Do we need a stronger Internet Governance where botnets and similar critters can be taken down even remotely if they are in countries that do not support such actions? Do we need a Geneva convention for the Internet with a legal framework where governments and possibly corporate actors can act upon? Looking at the development rate of technology and the speed of legislation – we might want to start today rather than tomorrow.