A little over 2 weeks ago Microsoft announced operation B71. It was being brought as the biggest blow to ZeuS botnets in history, and was picked up in the media globally. A released movie showed Microsoft personnel executing a preliminary injunction in a civil case and seizing a server in Scranton, PA. In their words: “Hopefully this action will disrupt not only one but multiple botnets and allows Microsoft to get visibility into the criminal organization which really runs and develops the ZeuS family of malware”. A spokesperson for FS-ISAC said, “we have sat back and we have taken it, I think we need to go onto the offensive.” Also the former DHS Cyber Chief mentions that for Microsoft and the Financial Industry to combat these types of threats they need to work together. A spokesperson for NACHA mentions that fighting these threats is not as easy as finding individuals or groups that are causing these problems, but that they operate in very intricate networks in a very sophisticated way. Mr. Boscovich from Microsoft adds that they are very technical and very hard to identify and that they are hard to prosecute criminally.
We have some reservations on this whole operation, which in light of the above statements, will become very twisted and will leave you with an uneasy feeling. I suggest reading the entire article, so you can form your own opinion. Microsoft has actually released the affidavits (statements of facts) and accompanying documents on a website reachable at http://www.zeuslegalnotice.com/.
We have waited with publishing this response in anticipation of Microsoft publishing a statement of rectification on their recent operation b71 regarding some of the background on events that took place. This blog post will detail that background to some extent, so that the public knows and also the Microsoft customers and partners in this Operation b71 know what Microsoft did in order to offer their so called protection of their customers.
So the movie shows that Microsoft seized one server. In total there were two servers seized, one containing an installation of a ZeuS variant named Ice-IX. This is a commercially available kit based off of the leaked source code of the original ZeuS. The other server functioned as a SpyEye controller, which was a Trojan very popular in 2011 but its popularity declined dramatically by the end of 2011 due to lack of updates. Ice-IX is 99.9% the same as the original ZeuS with some small additions and modifications. The last available SpyEye backend code was also freely downloadable from ‘The Internet’, so that is not going to reveal anything new.
If the code on these servers is not interesting what else could they have been looking for? Would Microsoft be able to find something linking to the actual criminals running these two seized servers? Very unlikely, especially with servers like these which are not bulletproof hosted. The criminals know those systems are going to be taken offline sooner or later and might be inspected. So they will leave as little or no information on these systems and also often the logging of the server is disabled, or if it is not, it only contains an IP address of a VPN gateway or Socks proxy that the criminals used to manage the server. All in all, we expect this will not reveal any information … at least not the supposed “visibility into the criminal organization which really runs and develops the ZeuS family of malware” as stated in the released video. One of the botnets was up and running again within 24 hours of the takedown on a brand new c&c server and continued with its business as usual.
Another thing Microsoft did was seize a large number of domains used by ‘criminals’ for the purpose of pointing the malware on infected systems to the actual IP address of the C&C server. Not only for making communication to those domains impossible, well actually not at all, instead the domains were pointed to nameservers under control of Microsoft on the 24th of March 2012. The nameservers used were NS1 and NS2 at microsoftinternetsafety.net. Among the large set of domain names were old domains (from early 2011), parked, unused, expired and also legitimately used domains. This proves there was little to no verification done on the data by Microsoft or the Judges in this case. Looking for example at the .nl domains (page 14 of Prelim_Inj_Pt4.pdf) we see a number of sites which are just legitimate. Perhaps at some point in time these were used as an update server, redirect server or proxy for C&C traffic. This also directly indicates a lot of mislabeling of domains and their purpose, which as we now know was not just the case for the .nl TLD. For sure Microsoft has a very liberal interpretation of the word dropzone for example.
Now a problem occurred because a lot of the domains were not registered by criminals but by security companies and NGOs, who use these domains to look for communications by infected systems, with the intention of using it as a feed for ISPs and similar organizations to indicate that systems have been compromised with a Trojan. This process is called sinkholing, often this occurs through the registering of backup domains or domains generated by a domain generating algorithm. So these security companies and NGOs lost a part of their domains and thus a part of their intelligence feed, and were also marked as being potentially a contact for the criminals. These mistakes have not been fixed at the time of writing over 2 weeks after the domains have been seized, which can be easily observed as the sinkholed domains are easily recognizable.
An even more interesting part of this paragraph, is actually in the affidavits, linked above. In Debenham_Decl_Part_1.pdf act 113 it is mentioned that regarding the seized domains that are pointed to Microsoft controlled DNS servers, the A record will point to a server that has the following property: “The Microsoft computers are configured to capture only the IP addresses of computers that are attempting to establish contact. They are deliberately configured to break-off the communication before any content is received.”
An interesting statement as this is far from the reality of how it works. A simple test will show that a connection is actually setup completely to at least to port 80, port 443 and port 8080, with a full TCP handshake. This is already more than described above. Then the server will receive data, which includes not only a single packet of data, but multiple. At the end of Microsoft they are actually processing the packet data, seemingly specifically for HTTP formatted data. This means (and yes we tested it) that Microsoft will received the HTTP request with full headers and actually also POST data which will contain sensitive information about the victims, including usernames, email addresses , passwords and personally identifiable information. This definitely indicates that it is different from what was stated in the affidavits.
Statements and facts presented by Microsoft
In the affidavits you can find a great deal of that information that is freely available on the Internet. It is interesting to notice that this is presented as verifiable facts just because it was available on a website or as download. These websites and documents are statements of questionable source and it goes too far to actually go into every detail of each paper, but when I was reading it I found many presented facts which I know to be incorrect. For example one of the included whitepapers states that the latest version at the time of writing in 2010 of the ZeuS Trojan would be version 1.6, which is simply false. The last ZeuS version in the major version 1, is actually 1.3.X.X which was released by the end of 2009 and further updated with fixed in the beginning of 2010. And version 1.4 was actually never really released and not for sale, but was merely the beta version for the 2.0 release which was released in 2010.
Another statement on page 5 of Debenham_Decl_Part_1.pdf it is indicated that ZeuS was first identified in 2007, this is verifiable incorrect and it was researched in 2006 and it was published about in a great write up by Michael Ligh et al. This is another indication of sloppy research done on the end of Microsoft.
On page 2 of Debenham_Decl_Part_1.pdf, act 3, it is stated that ZeuS, Ice-IX and Spyeye can be seen as the same because they incorporate ZeuS code, and are from then on referenced to as “Zeus botnets”. To prove this fact there are appendices that claim to verify this fact, including a reference to a blog posting of the IT Security journalist Brian Krebs. Note that there has been a lot of talk about SpyZeuS and it being the next great threat to the worlds IT infrastructure and online banking in general, but in reality this was all make belief. Obviously SpyEye contains tricks used in ZeuS, obviously SpyEye supports the ZeuS webinjects format, as do a dozen other banking Trojans. Let’s just make a comparison, there is Windows and there is Linux, and both support NTFS, is it now logical to call Linux a Windows variant? No, they are both just an operating system, and SpyEye and ZeuS are both a Trojan.
Also in some of the statements such as the one in Debenham_Decl_Part_1.pdf act 22, you can see that the author writes that the email addresses of domain registrations can be used to contact john doe 1-39. This is a bit off as there has obviously been little to no verification that the domains were related to the unnamed defendants. Actually we are pretty sure they have not done anything like that, they have only supplied a pretty limited list of domains obtained from zeus and spyeye configurations.
Another interesting observation from our end is that in the documents we found no clear references to the usage of exploit kits, which is the main method of infection employed for infecting systems with banking malware. This seems odd and perhaps they did not want to overcomplicate things, or perhaps they wanted to put the focus more directly on the NACHA spam mails which is one of the plaintiffs.
On page 51 of Summons.pdf the actor named “duo” is apparently mislabeled as “D frank”, which is different from the declaration from Debenham.
John doe information
This last part brings us on the most interesting part of this whole write up on operation b71, we were surprised to see the contents of the Summons.pdf and the declaration of Debenham. This includes a lot of information on actors involved within the ZeuS operations, the SpyEye author and individual SpyEye users but also completely unrelated actors. This information includes nicknames, email addresses, icq numbers and jabber addresses.
And when looking at those details we found some interesting details on some of the described john doe’s. The information therein was 100% identical to information we had supplied to a certain mailing list. This mailing list has the restriction that data being shared can only be used with the permission of the person who supplied that data. The information was in exactly the same order and contained exactly the same amount of information on those john does that we and also a friendly information security company had provided. Since the order and amount of information was 100% identical, and the data then also being used out of context and misinterpreted, meant that the person who interpreted it did not have the right background to fully understand the data.
For us this felt as a major blow as we spent a lot of time in getting this kind of information, while a corporate giant like Microsoft is now using this information without reaching out to the persons who supplied that information, for their own marketing and public relation purposes. From our end we can confirm that this information was never supplied for the purposes that Microsoft used it for. This whole action of Microsoft brings a major blow to the entire information sharing between information security companies on mailing lists and working groups.
The actions by Microsoft were thus definitely disruptive, but not so much for the criminals as they can easily setup their botnets again, if they lost any in the first place. The cost of setting up a new botnet for those that might have been disabled is very cheap, for about 10,000 USD you can setup a botnet with about 100,000 systems from a single popular country, which will typically be enough for a quick return on investment. The disruptive effect on the information security industry and the public private partnerships which have emerged is however devastating. The level of trust and the potential losses in effectiveness of information collection is becoming a major issue with information sharing, especially when taking into account these kinds of leaks. What we will see in the near future and also already now is a hesitation of partnering organizations to provide information on what is current, instead only vague information will be shared that is not actionable.
To reference the words of the Former DHS Cyber Chief, that working together, he mentioned, has now become an interesting proposal . Everyone in the industry at least now knows Microsoft is an untrustworthy partner who will go through great lengths to betray those who it works together with and will not claim responsibility for their mistakes. In light of the whole Responsible Disclosure debate from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests.
Also in light of the statement made in the video “how the criminal networks are intricate and how the individuals are hard to identify”, letting them know you are looking for them, and exactly with what information is not really going to help anyone’s objectives apart from that of the criminals themselves. At the same Monday we saw several actors register new accounts and jabber addresses, and reintroduced themselves to their partners in crime. Obviously this will make future attempts to attribute information to a person difficult as now you have to not only attribute actions to a single identity but also link those two or multiple identities together.
When it comes to what the actual harm is, Microsoft has endangered the success of countless ongoing investigations in both the private as the public sector all over the world from east to west. Obviously as most of these folks are located in Russia and Eastern Europe, the cooperation between parties in those regions and in western countries on both public and private sector side has been hurt more than you can expect, and also years of trust building has potentially been lost. It is not so much about this individual investigation but more about the global issue of partnerships between countries and regions and also between the private and public sector. In our discussions with Law Enforcement Officers, private investigators and members of NGOs researching these threats from across the globe we have found nothing but disappointment and disbelief regarding the irresponsible actions executed by Microsoft. Various other researchers have outed their disappointment earlier:
http://countermeasures.trendmicro.eu/dont-be-dumb-keep-schtumm/ and https://twitter.com/#!/sempersecurus/status/184344304788045825
By the end of the Microsoft PR/marketing movie I was laughing out loud and at the same time crying. As if these people actually reside in a country where Microsoft can prosecute them and as if you can actually find them, when you actually have to steal intelligence collected by others in the first place. No, you know who is doing the real laughing now. That are the criminals, who are the ones that really achieved victory over the entire industry by Microsoft’s irresponsible actions.
To summarize what has happened, Microsoft has publicly announced a takedown of ZeuS, Ice-IX and SpyEye botnets and has listed a large number of domain names which are supposedly involved and attempted to seize all these domain names. The lists of domains were unverified and contained domains which had a legitimate use.
Microsoft’s declaration contained statements which were incorrect and even contain misleading information regarding the invasion of privacy regarding the victims of ZeuS botnets, as their personal information may end up in the hands of Microsoft.
A large amount of information that identify the so called john doe’s for this case, has no apparent source or is not verifiable to any extent in the published information. We know that a large part of this information was sourced from individuals and organizations without their consent, breaking various NDA’s and unspoken rules.
This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with. It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.
Advice for the future
This has obviously been a major setback for everyone involved, not only those directly involved but also slowly but surely for those who are fighting the same battle and who are now confronted with this issue. How things should have been done, where do we go from here? Well, the first step is communicating. When you are planning an action you talk about it with as many people you know are going to be affected by the actions you are going to execute. If you need a key piece of evidence supplied by someone else, ask that person if it is possible to use this information without risking their information position. This is not just a thing private parties should learn, but public parties as well.
A second step is sharing, which goes both ways, and sharing is caring. While it is not always possible to share everything, it is definitely worth sharing things, sometimes raw data, sometimes an analysis or for example indicators or advice. Doing this allows people to reach out to one another because they know they can help on a specific topic and this results to a better common understanding of the working topic. It is really not a shame that you have to admit someone else just knows more about a certain topic than you, and if you prove you can handle information without risking each others positions that is a perfect start for a working relationship.
Preventing misuse of the information shared is impossible; the only thing we can rely on is trust within a group, and the repercussions on abusing this trust. In the case of the recent events I can only conclude that it is going to take a long time before Microsoft has regained its trust with the rest of the industry, and it is unfortunately that a few bad apples have now ruined it for everyone else.
Apart from trust there is one more thing, and that is due diligence, there is no other explanation than Microsoft not having done any due diligence in their actions and verification of data and sources in this case. They wanted to have a quick win, they might have gotten their quick win, but in the process sacrificed a lot. The advice is, check where the data is coming from, check it with your sources, get the confirmation that you can use it. Do not proceed until you are sure everyone has agreed and everything has been verified as much as can be possibly expected from you. Listing and seizing sinkholes and legitimate domains should be limited to a few and not dozens as was the case here.
The good thing to note is, information sharing has not completely stopped, people are still exchanging information, but for how long… and what are they not sharing? Only time will tell how this setback will affect us all in the long run.
Michael Sandee, Principal Security Expert at Fox-IT