Microsoft Digital Crimes Unit

Last updated
Microsoft Digital Crimes Unit
AbbreviationDCU
PurposeAn international legal and technical team of attorneys, investigators, and forensic analysts, with expertise across the areas of malware, botnets, IP crimes, and technology-facilitated child exploitation
Headquarters Microsoft Redmond Campus
Location
Coordinates 47°38′23″N122°7′42″W / 47.63972°N 122.12833°W / 47.63972; -122.12833
Region served
Worldwide
Parent organization
 Microsoft

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. [1] There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. [1] The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. [2] The DCU's main focuses are child protection, copyright infringement and malware crimes. [1] [2] The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law. [1]

Contents

Areas of emphasis

There are three areas on which the DCU concentrates: [3]

Trespass to Chattel

Trespass to Chattel is a legal term for how the Microsoft Digital Crimes Unit takes down its cyber criminals. Chattel is old English for cattle, which was considered to be valuable property to the owner. Essentially meaning that any property that is not land is referred to as chattel or "cattle". When spam or malware infects a user's computer or network that is considered to be "trespass to chattel" because they are trespassing on the user's property. The cybercrime is that the criminal has trespassed on the user's computer or network because they are responsible for the spam or malware they intended to harm the user with. The DCU's legal team has to pursue the cyber criminal in court using these old legal doctrines and laws to charge them with the crime of trespassing. [1]

The Botnet

A botnet is a network of compromised computer (Zombies) that are controlled without the user's knowledge. These are usually used to do repetitive tasks such as spam but can also be used for distributing malware and Distributed Denial of Service(DDOS) attacks. These botnets are controlled by a single criminal or a network of criminals. [4] The Microsoft Digital Crimes Unit is constantly hunting down Botnet networks that are used for these tasks. The DCU has dealt with botnets for spamming, key-logging and data ransom. The DCU has also taken down botnets such as Citadel, Rustock, and Zeus. It is an everyday fight for the DCU to continue to locate new threats from botnets and take them down. [5]

Takedown of the Rustock Botnet

On March 18, 2011, the Microsoft Digital Crimes Unit took down the Rustock Botnet. The Rustock botnet was responsible for over half of the spam worldwide sent to users and had controlled over 1 million computers. This spam had viruses attached to the emails and some were phishing emails. Microsoft with the help of the U.S. Marshals got warrants to seize the identified local command-and-control servers and do analysis on them. The DCU and U.S. marshals raided the servers located in Chicago, Columbus, Dallas, Denver, Kansas City, Scranton, and Seattle. After the DCU had seized the servers and terminated them the entire world had a large decrease in spam. Since then there has been no spam from the Rustock Botnet. [6] [7]

Takedown of the Zeus Botnet

On March 25, 2012, the Microsoft Digital Crimes Unit took down the Zeus Botnet. This investigation was also known as Operation b71. The Zeus botnet is responsible for stealing more than $100 Million from over 13 million infected computers. The botnet was installed on the user's computer from pirated versions of Windows or hidden through a download online. The Zeus botnet works by waiting for the user of the computer to open a web browser and attempt to do some banking or online shopping then show a similar looking webpage with a field to enter the login information. The login information is then sent to a Zeus server and the criminal can access the user's accounts. The DCU, accompanied by U.S. Marshals, shut down the botnet by raiding two command-and-control server facilities located Scranton, Pennsylvania and Lombard, Illinois. From there the DCU made a case to prosecute 39 unnamed cyber criminals who were responsible for this botnet by accessing the servers and retrieving the stolen data. After this botnet was shut down the starter code has since been sold on the black market to make other variations of this botnet such as Citadel and many more. Therefore, the Zeus botnet code itself is still active and has evolved. [8]

Takedown of the Citadel Botnet

On June 6, 2013, the Microsoft Digital Crimes Unit took down the Citadel botnet's 1000 servers. The Citadel botnet had infected an estimated 5 million computers using a key-logging program to steal the information. Citadel is responsible for stealing at least $500 million from online personal bank accounts in over 80 countries. They stole from banks such as American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo. The Citadel code emerged from the cybercrime kit known as Zeus which is sold as a starter code on the black market for thousands. The creators of Citadel are unknown but the DCU has prepared a large amount of charges to prosecute them. The DCU has since then helped users update their systems to get rid of the malware that may still be on their computers but is inactive. [9]

Actions against the ZeroAccess botnet

On December 5, 2013, the Microsoft Digital Crimes Unit, the FBI, Europol, and other industry partners attempted to disrupt the ZeroAccess botnet. [10] Although the efforts took down 18 hosts that were part of the ZeroAccess command and control network, because of the peer-to-peer nature of the botnet, ZeroAccess remains active. [11]

See also

Related Research Articles

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime is a type of crime involving a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Shadowserver Foundation is a nonprofit security organization that gathers and analyzes data on malicious Internet activity, sends daily network reports to subscribers, and works with law enforcement organizations around the world in cybercrime investigations. Established in 2004 as a "volunteer watchdog group," it liaises with national governments, CSIRTs, network providers, academic institutions, financial institutions, Fortune 500 companies, and end users to improve Internet security, enhance product capability, advance research, and dismantle criminal infrastructure.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of MPack and an alleged operator of the now defunct Storm botnet.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

<span class="mw-page-title-main">McColo</span> Defunct web hosting provider used for cybercrime

McColo was a US-based web hosting service provider that was, for a long time, the source of the majority of spam-sending activities for the entire world. In late 2008, the company was shut down by two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The Lethic Botnet is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam.

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced. No matter, in developing or developed countries, governments and industries have gradually realized the colossal threats of cybercrime on economic and political security and public interests. However, complexity in types and forms of cybercrime increases the difficulty to fight back. In this sense, fighting cybercrime calls for international cooperation. Various organizations and governments have already made joint efforts in establishing global standards of legislation and law enforcement both on a regional and on an international scale. China–United States cooperation is one of the most striking progress recently, because they are the top two source countries of cybercrime.

<span class="mw-page-title-main">European Cybercrime Centre</span>

The European Cybercrime Centre is the body of the Police Office (Europol) of the European Union (EU), headquartered in The Hague, that coordinates cross-border law enforcement activities against computer crime and acts as a centre of technical expertise on the matter.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

Trickbot is a trojan for the Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.

References

  1. 1 2 3 4 5 "Inside Microsoft's Digital Crimes Unit - Small Business Trends". smallbiztrends.com. 19 April 2015. Retrieved 2018-10-22.
  2. 1 2 "Microsoft Launches Cybercrime Center - InformationWeek". InformationWeek. Retrieved 2018-10-22.
  3. "Microsoft Digital Crimes Unit". microsoft.com. Redmond, WA: Microsoft . Retrieved 2013-11-15.
  4. Lerner, Zach (Fall 2014). "Microsoft The Botnet Hunter: The Role of Public-Private Partnerships in Mitigating Botnets" (PDF). Harvard Journal of Law & Technology. 28: 237–261.
  5. Greene, Tim. "Inside Microsoft botnet takedowns". Network World. Retrieved 2018-10-22.
  6. Wilson, Dean (18 March 2011). "Microsoft was behind the Rustock botnet takedown". The Inquirer. Archived from the original on March 21, 2011. Retrieved 2018-10-22.{{cite news}}: CS1 maint: unfit URL (link)
  7. Raywood, Dan (18 March 2011). "Microsoft confirms takedown of Rustock botnet". SC Media. Retrieved 2018-10-22.
  8. "The long arm of Microsoft tries taking down Zeus botnets". CNET. 2012-03-25. Retrieved 2018-10-22.
  9. "FBI and Microsoft hit theft botnet". BBC News. 2013-06-06. Retrieved 2018-10-22.
  10. Stewart, Christopher S.; Marr, Merissa (2013-12-05). "Microsoft Takes Action Against Alleged Ad-Fraud 'Botnet' ZeroAccess". online.wsj.com. New York, NY: The Wall Street Journal). Retrieved 2013-12-07.
  11. Gallagher, Sean (2013-12-06). "Microsoft disrupts botnet that generated $2.7M per month for operators; Update: researchers say not all C&C servers seized, and P2P makes takedown moot". arstechnica.com. New York, NY: Condé Nast . Retrieved 2013-12-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.