It’s often said that knowledge is power, and in the face of a societal problem like the spread of malicious software, sharing knowledge empowers people to act in their own defense.
Knowledge starts with information, and at Microsoft we believe that information sharing holds the potential to be a powerful disruptive force in the fight against cybercrime. Botnet operators infect people’s computers with malware and use them to operate illicit datacenters that provide unsecured cloud computing services for criminals. Criminals lease these services to commit Internet based crimes at massive scale to steal people’s money and identity, sell fake and potentially harmful pharmaceuticals and involuntarily reroute people’s Internet traffic away from sites they select to locations that drop malware onto their computers. As part of the Project MARS (Microsoft Active Response for Security) initiative to proactively combat botnets and other cyber threats, Microsoft’s Digital Crimes Unit (DCU) has taken down a number of botnets over the last 18 months. As part of our botnet takedowns, we identify malware infected computers and work with Microsoft’s Trustworthy Computing Group to share this information with Internet Service Providers and Computer Emergency Response Teams in various countries to notify victimized computer owners and provide cleaning solutions.
For information sharing to serve as an insurmountable disruptive force, industry and the public sector must work together to find even more effective means to responsibly share information about malware infected computers and clean them. This is why I participated at the EU Cybersecurity and Digital Crimes Forum in Brussels to discuss creative solutions with government officials and industry partners.
We’ve learned how to effectively share information in the case of abducted children through the “Child Rescue Alert” system, referred to as “Amber Alerts” in the United States. When a child goes missing, law enforcement agencies gather information about the child and send it across multiple channels, including mobile, media, social networks, and freeway billboards. This empowers society to assist in locating the victimized child and provides authorities with information to further rescue efforts.
In our everyday personal lives, we harness the vast sea of information available through the Internet to make informed decisions. I rely on data feeds from departments of transportation to avoid traffic congested routes. When I visit a new city, I depend on social networking sites to facilitate access to restaurant reviews, so that I can avoid bad meals and focus on cafes and bistros offering the best experiences in local cuisine.
We need information sharing about malware infected computers to operate at the same scale as the examples noted above, so that we create a disruptive force that makes botnet operation economically undesirable. Identifying, neutralizing and cleaning a malware infected computer based on information from a single botnet takedown has a significant impact beyond the disrupted botnet. Many of the infected computers in one botnet are also infected with other strains of malware that rope them into multiple botnets. By cleaning all types of malware off of the infected computers, we can use a single takedown to disrupt multiple criminal operations. Botnet operators cannot run their criminal cloud computing services if they routinely have the infected computers forming their datacenter infrastructure ripped away from them.
At last week’s conference, we explored ways to make information about computers infected with botnet malware more broadly available to institutions with victimized computers in their networks, so they can clean them and prevent malicious behavior. For example, a financial institution would benefit from the opportunity to identify and neutralize criminally infected botnet computers they are legally permitted to correct. Similarly, government institutions tasked with securing critical infrastructure could benefit from robust botnet threat information sharing. We believe the success stories from Child Rescue Alert systems and social network information sharing can be realized in the fight to combat botnets and help the global Internet community protect itself and thrive.