Microsoft takes botnet threat intelligence program to the cloud; provides near real-time data

Protecting people is at the forefront of the Microsoft Digital Crimes Unit’s fight against cybercrime. When we launched the Project MARS (Microsoft Active Response for Security) program in 2010 to proactively combat botnets, we knew that cleaning the malware-infected computers of people around the world was just as important as disrupting the threats. We have been actively sharing information from our botnet operations with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) worldwide since the beginning of this effort. By tapping into Microsoft’s vast cloud resources, however, we are now able to share that information on known botnet malware infections with ISPs and CERTs in near real time. The new Windows Azure-based Cyber Threat Intelligence Program (C-TIP) will allow these organizations to have better situational awareness of cyber threats, and more quickly and efficiently notify people of potential security issues with their computers.

Cybercrime is a global phenomenon and malicious software poses grave risks to computer owners, businesses and users of the Internet in general. Among the risks: bank fraud, identity theft, critical infrastructure and denial of service attacks, intellectual property theft and much more. All too often, computer owners, especially those who may not be using up-to-date, legitimate software and anti-malware protection, unwittingly fall victim to cybercriminals using malicious software to secretly enlist their computers into an army of infected computers known as a botnet, which can then be used by cybercriminals for a wide variety of attacks online. Beyond C-TIP and Project MARS, Microsoft has invested in a broad range of technologies and tools to help protect customers from these dangerous threats (such as the Malicious Software Removal Tool, Windows Update, Microsoft Update, Microsoft Security Essentials and more). This new cloud-based capability for C-TIP, however, takes those efforts to a new level.

On Friday, Microsoft’s Orlando Ayala joined with the Secretary of State of Telecommunications and Information Society of Spain, Victo Calvo Sotelo, to announce an agreement for the Spanish CERT, INTECO, to become one of the first organizations to receive data from the C-TIP cloud service. The Spanish CERT joins the Luxembourg CERTs, CIRCL and govCERT, as an early adopter of this program, which allows ISPs and CERTs to receive updated threat data related to infected computers in their specific country or network approximately every 30 seconds. All the information is uploaded directly to each organization’s private cloud through Windows Azure. Participation in this system allows these organizations almost instant access to threat data generated from previous as well as future MARS operations.

This is an evolution from the original Cyber Threat Intelligence Program that Microsoft developed three years ago, when we began sending regular emails to participating ISPs and CERTs with threat intelligence for their customers and regions. In our botnet disruption operations, when Microsoft seizes the command and control infrastructure of a botnet, we sever the connection between the cybercriminals running a botnet and the computers they infected with that botnet’s malware. These infected computers continue to try to check into the botnet command for instructions until they are cleaned of the malware. Every day our system receives hundreds of millions of attempted check-ins from computers infected with malware such as Conficker, Waledac, Rustock, Kelihos, Zeus, Nitol and Bamital. This data provides valuable information that can be used by ISPs and CERTs to notify victims and help them regain control of their computers. Currently, 44 organizations in 38 countries receive these threat intelligence emails and momentum is building for the newer, more advanced cloud-based program. In addition to the Spanish and Luxemburg CERTs, a number of others have also either signed up for the new cloud service or begun the process for signing up. We are thrilled to work with these organizations – and other interested governments or CERTs around the world on important efforts like this to help protect people, businesses and critical infrastructure.

While our clean-up efforts to date have been quite successful, this expedited form of information sharing should dramatically increase our ability to clean computers and help us keep up with the fast-paced and ever-changing cybercrime landscape. It also gives us another advantage: cybercriminals rely on infected computers to exponentially leverage their ability to commit their crimes, but if we’re able to take those resources away from them, they’ll have to spend time and money trying to find new victims, thereby making these criminal enterprises less lucrative and appealing in the first place.

ISPs, CERTs and the security community in general have played a vital role in our proactive fight against cybercrime to date. We look forward to continuing our partnerships with these organizations in order to make life more difficult for the cybercriminals and protect innocent people around the world. For updates on Microsoft’s ongoing work to combat digital crime, follow the Digital Crimes Unit on Facebook and Twitter.

Editor’s Note: This post was originally published on the Microsoft on Safety and Defense Blog.

About the Author

Director of Security, Microsoft Digital Crimes Unit