JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Microsoft to botmasters: abandon your Google inboxes

Date

Brian Krebs

Zoom in on this story. Explore all there is to know.

Microsoft has enlisted Gmail in its legal fight against botnets.

Page 1 of a subpoena Microsoft sent to Google.

Page 1 of a subpoena Microsoft sent to Google.

If the miscreants behind the ZeuS botnets that Microsoft sought to destroy with a civil lawsuit last month didn't already know that the software giant also wished to unmask them, they almost certainly do now. Google, and perhaps other email providers, recently began notifying the alleged botmasters that Microsoft was requesting their personal details.

Microsoft's unconventional approach to pursuing dozens of ZeuS botmasters offers a rare glimpse into how email providers treat subpoenas for account information. But the case also is once again drawing fire from a number of people within the security community who question the wisdom and long-term consequences of Microsoft's strategy for combating cybercrime without involving law enforcement officials.

Last month, Microsoft made news when it announced a civil lawsuit that it said disrupted a major cybercrime operation that used malware to steal $US100 million from consumers and businesses over the past five years. That legal maneuver may have upset some cyber criminal operations, but it also angered many in the security research community who said they felt betrayed by the action. Critics accused Microsoft of exposing sensitive information that a handful of researchers had shared in confidence, and of delaying or derailing international law enforcement investigations into ZeuS trojan activity.

Part of the controversy stems from the bargain that Microsoft struck with a federal judge in the case. The court granted Microsoft the authority to quietly seize dozens of domain names and internet servers that miscreants used to control the botnets. In exchange, Microsoft agreed to make every effort to identify the "John Does" that had used those resources, and to give them an opportunity to contest the seizure. The security community was initially upset by Microsoft's first stab at that effort, in which it published the nicknames, email addresses and other identifying information on the individuals thought to be responsible for renting those servers and domains.

And then the other shoe dropped: Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft's subpoenas for email records. The email addresses were already named in Microsoft's initial complaint posted at zeuslegalnotice.com, which listed nicknames and other information tied to 39 separate "John Does" that Microsoft is seeking to identify. But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to sources who received the notices but asked not to be named, the Google alerts read:

"Hello,

Google has received a subpoena for information related to your Google
account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v.
John Does 1-39 et al., US District Court, Northern District of California,
1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion
to quash the subpoena (or other formal objection filed in court) via
email at google-legal-support@google.com by 5pm Pacific Time on May
22, 2012, Google may provide responsive documents on this date.

For more information about the subpoena, you may wish to contact the
party seeking this information at:

Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025

Google is not in a position to provide you with legal advice.

If you have other questions regarding the subpoena, we encourage you
to contact your attorney.

Thank you."

Unlike most of its competitors in the Webmail industry, Google is exceptionally vocal about its policy for responding to subpoenas. This has earned it top marks from privacy groups like the Electronic Frontier Foundation (EFF), which recently ranked ISPs and social media firms on the transparency of their policies about responding to requests for information filed by the government or from law enforcement.

Google spokeswoman Christine Chen said she could not comment on specific legal cases, but said the company complies with valid legal process.

"We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying," Chen said. "When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it."

At least 15 of the email accounts named in Microsoft's lawsuit were addresses at hotmail.com or msn.com, both free Webmail services run by Microsoft. It's not clear whether Microsoft gave those account holders a heads up about the subpoena. I asked Richard Boscovich, the former Justice Department lawyer and one of the architects of Microsoft's legal strategy to target botnets with civil actions; he didn't know, and referred me to Microsoft's compliance unit. I'm still waiting for an answer. But it's worth noting that Google was the only email provider on EFF's list that was recognized for reliably alerting users about data demands. Microsoft was not recognized on this front.

Marcia Hofmann, a senior staff attorney with the EFF, said Microsoft's legal effort underscores the tension between traditional law enforcement processes and companies using civil litigation to protect their own users and to vindicate their own interests.

"I suspect this is a situation where Microsoft feels law enforcement isn't moving quickly enough," Hofmann said. "But it also basically compromises law enforcement's ability to do anything about the problem, and makes it possible for the suspects to evade any sort of law enforcement action."

Cut-and-paste justice?

Critics of the Microsoft effort say certain clues prove that the company borrowed and published raw intelligence without fully understanding the data's true value and origins. Andy Fried, a former law enforcement official and owner of the Alexandria, Va. based security consultancy Deteque, was a co-founder of the little-known ZeuS Working Group, an ad hoc and extremely secretive collection of law enforcement officials and private security professionals dedicated to tracking ZeuS activity with the aim of bringing those responsible to justice.

"A basic tenet of this trust group is that everyone feels free to share data, but the rule is you never release that data outside of the trust group without express permission of whoever provided the data," Fried said. "But there was no way that the data Microsoft published was received independently. Much of it was cut-and-pasted verbatim, and some of the data included in the search warrant was horrifically out of date."

For instance, several of the key crime lords that Microsoft is seeking to unmask are already in prison for their crimes. John Doe #22 in Microsoft's complaint — alleged to have used the nickname "Jonni" — is none other than Yevhen Kulibaba, a Ukrainian man arrested in London in 2010 and named as a ringleader of a money mule recruitment gang there. Kulibaba is currently serving a four-year jail sentence in connection with the ZeuS activity.

Microsoft said John Doe #23 goes by the alias "jtk," yet this was the nickname used by Yuriy Konovalenko, the 30-year-old accomplice of Kulibaba who also was arrested as part of the UK-based ZeuS gang. Konovalenko likewise was sentenced to four years in jail.

Microsoft's John Doe #24 is thought to go by the nickname "Veggi Roma," but according to sources familiar with the case, this was an inside joke based on a lucky break that led police to the UK gang's location. Investigators in London had been working with the FBI to monitor the communications of several members of the London-based ZeuS gang, but for some time they did not know whereabouts of the men, who were known at the time only as Jonni and Jtk. That is, until Jtk used his internet connection to order a pizza to be delivered to their apartment. A "Veggi Roma" pizza, to be exact.

Astute readers may be wondering how it is that Google's emails and Microsoft's subpoenas to the John Does named in the complaint are now public. According to Fried, that's because some of the email addresses listed in Microsoft's complaint as belonging to John Doe miscreants were in fact addresses used by security researchers who had registered domains to serve as "sinkholes" for one or more ZeuS botnets. Sinkholing is a practice by which researchers redirect the identification of the botnet control servers to their own server, so that malicious traffic that comes from each bot-infected client goes straight to the research box, ready to be analyzed.

Collateral damage

Microsoft maintains that it worked with several security industry partners, and that it was operating under the assumption that the information those partners provided was either their own, or was freely available amongst them for the purpose of securing the internet.

Microsoft's Boscovich said the company did not work with law enforcement on this operation, and so had no idea whether there were ongoing or adjudicated investigations related the John Does named in its case. He emphasized that protecting customers was the company's number one priority.

"Our main objective was to stop the bleeding, and everything we do is specifically related to that mission," Boscovich said. "Congress specifically envisioned that it was and is appropriate for private entities to protect themselves and their interests, and as in this case, the interests of our customers. People are continuing to be victimized, computers compromised, identities stolen, and now those systems are posing a threat to other people on internet, irrespective of what operating systems they're using."

For his part, Fried said he believes Microsoft will soon find it more difficult to obtain sensitive information that security researchers and law enforcement gather about key cybercrime suspects. He also fears that the ZeuS working group and other informal information-sharing groups may disband or become less effective as a result of this case.

"Microsoft discounted everyone but themselves with their initial action, and they've compounded things pretty quickly with these subpoenas," Fried said. "This is also going to cause collateral damage for a lot of trust groups, while all that they've accomplished is little more than a very miniscule inconvenience to the bad guys, whose servers were back up within 24 hours of the takdeowns."

Jon Praed, founding partner of the Arlington, Va. based Internet Law Group, said he's sympathetic to Microsoft's position, and believes Google should have taken the trouble to investigate whether the John Doe accounts named in Microsoft's lawsuit deserved to be notified.

"Unfortunately, most email providers have a one-size-fits-all privacy policy," Praed said. "All of these companies have tried to create the legal right to do the right thing, but they're making almost no attempt to apply that policy in practice. At the same time, Microsoft is spending a tremendous amount of money trying to stop this activity, and I don't know anyone else out there who is even trying to do this."

KrebsOnSecurity

twitter  Follow IT Pro on Twitter

2 comments so far

  • So little has been done to stop use of the internet for cybercrime, that I think it is a bit pointless to say anyone acted rashly in seeking to uncover and disrupt the bad guys.

    Had 'the authorities' been right on top of this, nailing every criminal within weeks of them starting up, then it would be a different matter.

    Unlike threats or bombs sent by snail-mail (which is hard to trace), most of the IT crime has a traceable address. Some major instances are:
    a) The fake look-a-like web sites ("login in to your bank here") to get your true log-in details are on a known server;
    b) the emails looking for mules ('we need a local bookkeeper to transfer money between accounts') have a reply-to email address;
    c) even data transfers from BOTs are to discoverable IP addresses.

    If the law-enforcement authorities will not track-down such IPs and arrest the perpetrators, then the web-based email companies ought to do so. And if those servers are in countries which do not liaise with international law-enforcement, then Google and malware-scanning software companies should advise such countries that they risk having all IPs from such countries being rated as 'risky', in effect killing e-trade with that country. Indeed, OECD could issue such warnings that all OECD countries will bar such IP ranges. That would ensure that such small countries complied with not hosting malware sites.

    Commenter
    Graeme Harrison (prof at-symbol post.harvard.edu)
    Location
    Sydney
    Date and time
    May 07, 2012, 6:58PM
    • Funny how all the botneckers are Russian. Well, not really.

      KGB is Russian mafia. Russian mafia is today's cybercrime.

      Frankly, I felt safer when the USSR had their nukes pointed at us and we had our nukes pointed at them.

      Commenter
      The Way
      Location
      is a moveable target more of or less of a sitting duck?
      Date and time
      May 08, 2012, 3:28AM

      Make a comment

      You are logged in as [Logout]

      All information entered below may be published.

      Error: Please enter your screen name.

      Error: Your Screen Name must be less than 255 characters.

      Error: Your Location must be less than 255 characters.

      Error: Please enter your comment.

      Error: Your Message must be less than 300 words.

      Post to

      You need to have read and accepted the Conditions of Use.

      Thank you

      Your comment has been submitted for approval.

      Comments are moderated and are generally published if they are on-topic and not abusive.

      This Column is advertiser content
      Advertisement
      Featured advertisers
      Advertisement