With Microsoft’s successful use of federal law and courts to shut down botnets, most recently Nitol, the legal system is emerging as an effective tool for cybersecurity.
Microsoft this week got a temporary restraining order against alleged operators of a botnet, allowing the software company to take over the malicious domain and block the Nitol botnet and nearly 70,000 other subdomains.
The case is interesting for a number of reasons, not least of which is that Nitol was discovered by Microsoft’s Digital Crimes Unit to be preinstalled on a computer bought in China, along with several other types of malware that had been incorporated into counterfeit copies of Windows XP and Windows 7.
Nitol was actively running and attempting to connect with a command and control server, allowing researchers to study it and its operators. Microsoft found that the United States has the second largest number of C&C servers (behind China), located primarily in California, Texas, Georgia and Pennsylvania.
But to my mind, the most interesting part of the story is Microsoft’s continued and successful use of the courts as a cybersecurity tool. The company’s Project MARS (Microsoft Active Response for Security) goes after threats to its customers with lawsuits to shut down the malicious nets. The Nitol bust is its second botnet takedown in six months.
On Sept. 10 the U.S. District Court for the Eastern District of Virginia granted Microsoft’s request for a temporary restraining order against Nitol’s operators, allowing the company to host the 3322.org domain, which hosts the majority of the C&C servers on a new domain name system. This will let Microsoft block malicious traffic while letting legitimate subdomains operate without interruption. Microsoft also is seeking preliminary and permanent injunctions.
Federal computer security law often is criticized as out of date with the current cyber threat environment, and cybersecurity legislation that would amend it has gone nowhere in Congress. But Microsoft has successfully used the existing Computer Fraud and Abuse Act, Common Law Trespass and other criminal statutes to take action against the roots of malicious networks.
In March, the company, along with the U.S. Marshals Service, took down several botnets using variants of the Zeus malware. A year earlier, Microsoft led the takedown of the massive Rustock botnet, which had infected more than a million computers worldwide, later turning the case over to the FBI.
Botnets have not disappeared, of course, and are not likely to disappear any time soon. And computer crime laws (and cybersecurity requirements) need to be updated. But Project MARS shows that court action through existing laws can be a potent cybersecurity tool against malicious networks that cross national borders.