A red glow spread across a map of the world displayed on a wall-sized monitor in the Microsoft Cybercrime Center.
Within seconds, specialized analytics developed by Microsoft processed millions of individual pieces of data. The analysis revealed the infection rate was more than twice what had been anticipated, with a million more infections lurking just under the surface.
Visualizing the data this way confirmed what Microsoft malware analysts and cybercrime investigators long suspected: after years of monitoring a commonly used “botnet-in-the-box” that cybercriminals can purchase and download online, the Win32/Dorkbot malware had evolved into a much more sophisticated threat, now serving as a major conduit to spread some of the most invasive malware across the Internet, malware capable of quietly stealing large volumes of personal and financial information from millions of unsuspecting victims.
“We determined that there were 100,000 new infections of this new more virulent version of the Dorkbot malware every month,” said Tanmay Ganacharya, principal research manager of Microsoft’s Malware Protection Center (MMPC).
“That rate of infection posed a real threat to customers,” said Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit (DCU). “So we quickly notified the authorities who began working on disrupting this malicious software based on the analysis we provided.”
As a result, law enforcement agencies from around the world took action earlier this month to stop the spread of the Dorkbot malware in its tracks. The FBI, INTERPOL, Europol and a number of national Computer Emergency Response Teams coordinated to physically seize and sever the command and control servers used by cybercriminals to infect and spread malware onto millions of devices around the world.
Instant insight from an avalanche of data
After the seizure, traffic from hundreds of domains previously owned by cybercriminals was redirected to a “sinkhole”, or secure server maintained by Microsoft, which began to analyze the data as part of the Microsoft Cyber Threat Intelligence Program (C-TIP).
By analyzing the data, Microsoft is able to notify consumers and enterprises about infected devices, help them to remove the malware from their devices and to glean more information to carry the investigation forward.
So far, the data already has exposed important information about how criminals have been using the Dorkbot malware to direct infected computers to share stolen information, request instructions for new criminal activity, and to download additional malware to commit new crimes.
“Once a device is infected, the malware literally communicates with the criminals who put it there and awaits instructions on whatever criminal activity they want it to do,” said Boscovich. “When you consider that millions of machines are infected, the number of pings back and forth between these infected devices and the servers giving them directions is staggering. We’re talking sometimes billions of pings per day.”
One of the greatest challenges an operation like this presents is similar to the challenge facing many organizations: estimating the computing power and storage that will be required. That’s why Microsoft Azure, and its ability to scale so it can handle all incoming data, is central to the success of botnet disruptions. Without that ability, critical data resulting from the operation would take days to process and analyze or worse – the hardware could overload and crash – leaving investigators in the dark until more servers could be brought online. When every second counts, provisioning new servers manually is a time consuming task that delays gathering crucial information.
“We have a calculated estimate at the beginning of an operation about how much malware data we’ll receive about the infected devices. But it is only an estimate,” said Mike Wallulis, a Microsoft C+E cloud and machine learning expert embedded at DCU. “This is why Azure is so critical to be able to quickly and dynamically scale to the quantity that we receive.”
As DCU began to receive the traffic in its sinkhole, automated tools went to work analyzing the data to then visualize it in the form of maps and graphs. Years ago, it took days after an operation to analyze the true extent of the threat. Microsoft’s data analytics tools now give investigators and law enforcement a near real-time snapshot of the malware’s infectious reach.
The strength of these tools lies in instant insight. Using this data analytics technology and services including the Microsoft Azure IoT Suite, Power BI, Azure Event Hubs and Azure HDInsight, the company was able to turn the insight into instant action.
Turning the tables to fortify Microsoft’s Cloud
Dorkbot is the latest botnet added to Microsoft’s C-TIP database which receives billions of data entries per day. This data is built back into Microsoft’s Cloud, so enterprise customers can protect their systems from known malware infections.
With Azure Active Directory Premium, an organization’s IT administrator can tap into this information and receive an alert when an infected device attempts to connect to the network. The administrator can easily identify the infection, clean the device, and prevent a network-wide compromise.
“The median amount of time before a company even becomes aware that they’ve been attacked is 200+ days,” said Wallulis. “With Azure Active Directory Premium, businesses control the access of devices flagged by Microsoft C-TIP database as infected, preventing their systems from a much wider compromise and increasing hygiene as they go.”
Microsoft also shares its infection data with CERTs and ISPs around the globe. They in turn identify and contact customers to help remove the malware.
“We work with law enforcement to free people’s devices from the grip of criminals and help get their devices clean,” said Boscovich. “Our goal is to use this malware data to create a safer digital experience for every person and every organization on the planet.”