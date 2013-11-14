By Joseph Menn
| REDMOND, Washington
REDMOND, Washington Nov 14 The maker of the
most popular computer operating system in the world is launching
a new strategy against criminal hackers by bringing together
security engineers, digital forensics experts and lawyers
trained in fighting software pirates under one roof at its new
Cybercrime Center.
Microsoft Corp's expanded Digital Crimes Unit
inside the 16,800-square foot, high-security facility combines a
wide array of tactics that have worked the best: massive data
gathering and analysis, gumshoe detective work, high-level
diplomacy and creative lawyering.
The new approach, to be launched on Thursday, is the latest
attempt to close the gap created in the past decade as criminal
hackers innovated in technology and business methods to stay
ahead of adversaries mired in the slow-moving world of
international law enforcement.
Already, many of the biggest victories against organized
online criminals have come when private companies have worked
together to seize control of the networks of hacked computers,
called botnets, that carry out criminal operations. Though it is
at times derided for the security shortfalls in its own
products, Microsoft has led more of those seizures than any
other company.
"Cybercrime is getting worse," Digital Crimes Unit chief
David Finn told Reuters during an exclusive visit to the
Redmond, Washington, campus building this week. But Finn hopes
that by mixing specialists from various professional arenas,
Microsoft can get better.
The center features a lab for dissecting malicious software
samples that is accessible only with fingerprint authorization.
In another room, a monitor tracks the countries and Internet
service providers with the greatest number of machines belonging
to some of the worst botnets.
Next to a situation room with a wall-sized, touch-screen
monitor sit rows of empty offices for visiting police, Microsoft
customers or other allies expected to join specific missions for
days or weeks at a time.
There are hundreds or thousands of botnets, and Microsoft is
trying to get only the biggest or most damaging, or else to
pursue fights that would establish key precedents.
In the past few years "at least half of the major,
significant takedowns have been driven by Microsoft," said Steve
Santorelli, a former Microsoft investigator and Scotland Yard
cybercrime detective who now works at a security nonprofit group
called Team Cymru.
Microsoft has tangled with a Mexican mafia family that
proudly put brand labels on pirated Xbox game CDs, a ring that
took online payments via a parking garage in Malaga, Spain, and
a Russian virus writer paid with a paper bag full of cash -- by
a 12-year-old boy on a bike.
Outside security experts praised the cross-pollination of
fraud, security and software specialists.
"That kind of integration is only for the better. The
financial sector has been thinking along those lines as well,"
said Greg Garcia, a former cybersecurity official at the
Department of Homeland Security and at Bank of America who now
advises the banking industry's main cybersecurity coordination
group, known as FS-ISAC.
The crimes unit doesn't tackle government spying, where
Microsoft is among the major Internet companies that have turned
over large amounts of data on users to the U.S. National
Security Agency (it is suing for the right to disclose how
much). And another unit within Microsoft is in charge of making
the company's products less susceptible to hacking.
PIRACY SQUAD PROTECTS WINDOWS
About 80 of the crime unit's 100 staffers have focused on
the piracy of Microsoft products, with far fewer devoted to
deconstructing the methods of criminals attacking Microsoft
users and stopping them when possible.
But time and again, the piracy squad has found
counterfeiters who were using botnets that also sent spam or
attacked websites with denial-of-service attacks, or who slipped
malicious software into copied Microsoft wares, or who had other
ties to broader security issues.
In one test, undercover Microsoft employees bought 20 new
computers in China the way average consumers would. All had
pirated versions of Windows, and all had at least traces of
malicious software. An expanded pool of 169 machines included 18
percent ready to receive electronic commands as part of a botnet
called Nitol.
More critically, the piracy people bring experience with
unusually powerful U.S. copyright laws. With a strong
preliminary showing in court that their goods are being
misrepresented, copyright owners can win orders allowing them to
seize the offending property without prior notice.
In an innovative and aggressive twist, Microsoft has been
using that law to seize website addresses, including those used
by criminals to control botnets.
"Microsoft really has done a very positive job in a couple
of areas, and one of those is construction of legal frameworks
that create precedents that allow future actions," said Jeff
Williams, head of security strategy at Dell Inc's SecureWorks
Counter Threat Unit.
The Nitol case was remarkable in that it and other botnets
were connecting to 70,000 addresses at a Chinese web domain-name
seller called 3322.org. Microsoft won the right to filter all
connections to those addresses and blocked more than 7 million
attempts in 16 days. The owner of 3322 agreed to settle
Microsoft's lawsuit and to drop other bad addresses identified
by Microsoft or Chinese Internet security officials in the
future.
Microsoft also felled a botnet called Rustock, once one of
the biggest sources of spam on the planet. More recently, it
teamed with banks to seriously hurt two operations that sell
do-it-yourself kits for crafting smaller botnets that have
stolen hundreds of millions of dollars from online accounts.
The takedowns are often dramatic, with armed raids on
multiple locations where servers are housed. If there are many
control computers and they don't get disconnected within minutes
of one another, the surviving machines can issue new commands
and recreate the entire network.
During one raid in Pennsylvania, an executive at the bad web
page's hosting company was cooperating when the site's owner
realized what was happening and changed his password from afar,
locking out the official. The Microsoft team pulled out the
cables to save the day.
Finn and Microsoft crime expert Richard Boscovich, a fellow
former federal prosecutor, said they are working on new means to
take down even more sophisticated botnets, which are controlled
through a peer-to-peer mechanism instead of through centralized
servers.
"You'll be seeing some interesting stuff in the near
future," Boscovich promised. "This is an area where what is good
for the business is good for society."