Last week, Microsoft Corp. made headlines when it scored an unconventional if not unprecedented legal victory: Convincing a U.S. court to let it seize control of a Chinese Internet service provider’s network as part of a crackdown on piracy.
I caught up with Microsoft’s chief legal strategist shortly after that order was executed, in a bid to better understand what they were seeing after seizing control over more than 70,000 domains that were closely associated with distributing hundreds of strains of malware. Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home to those 70,000 malicious domains.
First, the short version of how we got here: Microsoft investigators found that computer stores in China were selling PCs equipped with Windows operating system versions that were pre-loaded with the “Nitol” malware, and that these systems were phoning home to subdomains at 3322.org. The software giant subsequently identified thousands of sites at 3322.org that were serving Nitol and hundreds of other malware strains, and convinced a federal court in Virginia to grant it temporary control over portions of the dynamic DNS provider.
Microsoft was able to do that because – while 3322.org is owned by a firm in China — the dot-org registry is run by a company based in Virginia. Yet, as we can see from the graphic above provided by Microsoft, Nitol infections were actually the least of the problems hosted at 3322.org (more on this later).
To learn more about the outcome of the seizure, I spoke with Richard Boscovich, a senior attorney with the company’s digital crimes unit (DCU) who helped to coordinate this action and previous legal sneak attacks against malware havens. Our interview came just hours after Microsoft had been cleared to seize control over the 70,000+ subdomains at 3322.org. I asked Boscovich to describe what the company was seeing.
“The numbers are quite large,” he said. “Just a quick view of what we’ve been seeing so far is upwards of 35 million unique IP [addresses] trying to connect with the 70,000 subdomains.”
Certainly IP addresses can be very dynamic — a single computer can have multiple IP addresses over a period of a few days, for example. But even if there were half as many infected PCs than unique IPs that Microsoft observed reporting to those 70,000 domains, we’d still be talking about an amalgamation of compromised PCs that is far larger than any known botnet on the planet today. So how certain was Microsoft that these 35 million unique IPs were in fact infected computers?
“We started identifying what our AV company blocks,” Boscovich explained. “We saw a lot of different types of malware, from keyloggers to DDoS tools and botnets going back there. Our position would be if you’re reaching out to these 70,000 subdomains, that the purpose would be you’re directed there to be infected or you are already infected with something. And that something was up to 560 or so malware strains we identified [tracing back] to 3322.org.”
Microsoft’s past unilateral actions against malware purveyors and botnets have engendered their share of harsh reactions from members of the security community, and I fully expected this one also would be controversial. I wasn’t disappointed: Writing for Internet policy news site CircleID, longtime antispam activist Suresh Ramasubramanian warned that Microsoft’s action would cause “extremely high collateral damage,” both to innocent sites and to ongoing investigations.
“So, in the medium to long term run …all that Microsoft DCU and Mr. Boscovich have achieved are laudatory quotes in various newspapers and a public image as fearless and indefatigable fighters waging a lone battle against cybercrime,” Ramasubramanian wrote. “That manifestly is not the case. There are several other organizations (corporations, independent security researchers, law enforcement across several countries) that are involved in studying and mitigating botnets, and a lot of their work just gets abruptly disrupted (jeopardizing ongoing investigations, destroying evidence and carefully planted monitoring).”