This is how Microsoft takes down botnets around the world

Security is key to Microsoft and its products, as it should be for any software maker in today’s day and age. The Redmond based technology company is working hard to prevent attacks such as WannaCry, with the addition of a host of security features and updates to its latest Windows 10 operating system. For instance, the Windows Defender Device Guard blocks execution of any unassigned code and the Protected Folders feature coming with the Windows 10 Fall Creators Update in September helps users identify apps that try to make changes to protected files. Other features such as Windows Hello and Microsoft Credential Guard also help enhance device security.

But, there is another kind of a security force, one facilitated by a union between humans and technology, that Microsoft uses to defend against cyber attacks. Called the Microsoft Cyber Defense Operations Center (CDOC), the facility is a one of a kind cybersecurity hub which brings together lawyers, investigators and cyber forensic analysts to predict and demolish various threats. These threats could vary from DDoS attacks performed by botnets to severe malware infections. Set up in 2015, Microsoft’s Cyber Defense Operations Center uses machine learning to discover and flag irregularities and has various satellite operation centers backed up by 3500 security professionals around the world.

One such satellite Cyber Security Engagement Center runs out of India’s capital city, New Delhi. “The whole of the cyber defense center in our layered approach to security front ends our $1 billion a year investment in security,” Meenu Chandra – Director IP/ Digital Crimes Unit, Microsoft India tells us in a select media briefing.

Use of Microsoft PowerMap to view piracy data. Credits: Microsoft

The job of Microsoft’s CDOC and its satellite arms around the globe is to take down criminals or criminal syndicates involved in cyber crimes by combining big data investigations and legal actions. Security researchers and analysts at Microsoft study multiple data points and use tools such as Microsoft Power BI for visualising and interacting with data pertaining to various threats. Using this data, the CDOC tries to investigate the threat and take down attackers.

“Think about it like Sherlock Holmes trying to look in a haystack,” explains Chandra. Once the collected data pinpoints to the geolocation of the threat administrator or the criminal, the investigating officers, people who have worked with security organisations like CBI, FBI, Interpol, etc nab the perpetrators. The lawyers in the team then come up with legal strategies and provisions to bring the attackers to justice.

Of course, such large scale security operations cannot be conducted in isolation and Microsoft works with ISPs, CERTs of various countries to take down threats like botnets.

In case of botnets, once the location of a command-and-control server is discovered using big data, and the required legal permissions are obtained to mobilise local law enforcement, Microsoft tries to approach the threat with caution. “Even before you go and knock on the door of the command-and-control server we need to make sure that he (attacker/s) does not know that you are coming,” says Chandra.

In this case, Microsoft uses a method called ‘sinkholing’ to redirect traffic from the original command-and-control server to a replica/decoy of the server created by the CDOC. The ISPs through which the botnet is being distributed are then asked to route all traffic going to the original malicious server, to the decoy server. While the sinkholing is being done, law enforcement officers knock at the door of the perpetrator and cuts the cord with the command-and-control center.

Credits: Microsoft

Of course, this is a very simple explanation of a much more complex process that involves various private and government entities working together. In the past, Microsoft has helped squash botnets such as Citadel, Zeus and Dorkbot. In case of Citadel, the botnet had remotely installed keyloggers in more than 5 million devices to steal over $500 million from bank accounts back in 2013, and was taken down by Microsoft with the help of the FBI. The same was the case with the Zeus family of malware. Microsoft’s Digital Crimes Unit worked with the FBI and industry partners to remove the malware so that infected computers can no longer be used for harm. Dorkbot, one of Microsoft’s most recent takedowns, happened in 2015 after the malware family infected more than one million PCs in over 190 countries.

Citadel botnet heat map by location. Credits: Microsoft

While Microsoft does have the ability to end the crime perpetrated by these botnets, the infection still lingers on the devices that were harmed in the first place. “Even though sinkholing ensures that the crime is not being perpetrated against individuals who were infected, the infection hasn’t really gone away, which means all the devices that were behind the ISPs are still infected,” explains Chandra. Most people don’t even know that their devices have been breached for over 140 days, she adds.

Microsoft’s data shows that systems in India are still sending traffic to old sinkholes setup for legacy malware. This just shows that the affected systems are still vulnerable, even though the infection is not causing them any harm at the moment. This happens if a user’s system is not up to date, if the user is still unaware of the attack or if the user simply chooses to ignore the infection.

In India and other countries, the Microsoft’s Cyber Threat Intelligence Programme shares data of the infected devices with the Computer emergency response teams (CERT), which can further issue advisories to the affected entities. 50 Plus countries already subscribe to Microsoft’s Government Security programme and the company tells us that India is close to hopping onto that bandwagon.

Follow Us

Adamya Sharma

Managing editor, Digit.in - News Junkie, Movie Buff, Tech Whizz! View Full Profile