Thoughts on the Microsoft's "Operation b71" (Zeus botnet civil legal action)

28 Mar 2012 David Dittrich botnet ethics legal takedown

On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order (TRO) to seize domain names from botnet operators. For the second time, the court has also ordered U.S. Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions. Critics of earlier such actions who decried them as “vigilantism”, said this was an incomplete takedown of the entire population of Zeus botnets, or had little impact on delivery of spam after a takedown, do not understand some subtle points about these actions. And they fail to learn some lessons from them.

  • Going to court filing a civil action is more effective than any other means in getting third parties who may otherwise be reluctant to cooperate in removing DNS entries or imaging hard drives on a server used as instrument of crime to do so. It is one thing to deny a request from someone who says they are a victim of crime, or who is acting on behalf of victims of crime, but saying “no” to an order from a federal court means you risk having to appear in that court to defend your refusal.

  • Using civil legal process is not “vigilantism,” nor does it preempts or preclude criminal prosecution. Civil process and criminal process are two of several legal tracks in the United States Justice system, and they can operate side-by-side and in parallel. What is more, effective collection of evidence in a civil action allows providing that evidence to law enforcement to also pursue criminal investigations. When a less rigorous job is done of collecting and preserving evidence in a botnet takedown operation run – by private individuals who are not skilled at forensics and preservation of digital evidence, or businesses who are trying to simply gain market awareness to increase sales – such “quick and dirty” take down operations may serve to primarily benefit the entity doing the take down, but may not serve the interest of assisting in seeking justice, or may themselves be the actions that preempt or even disrupt criminal investigations, making it harder for justice to be obtained. If the stated reason is to help bring criminals to justice, the actions taken had better demonstrate and support that objective, and in this case the Microsoft DCU actions do just that.

  • While it may be possible to sinkhole a botnet using only technical means, fall-back domain names that still exist in malware that is available in public repositories for anyone to get can potentially be used to (re)constitute a botnet. Using civil process to disrupt botnet command and control by removing domain names, combined with technical sinkholing operations, ensures that no avenues exist for current or newly infected computers to get back into control by malicious actors.

  • The act of writing up a complaint, backing it up with declarations in support of the plaintiff’s motions, and having a federal judge review and grant plaintiff’s motions is a very clear, very thorough, and very public justification for taking bold action. Through this process the plaintiff describes who is being harmed, how they are being harmed, what can be done to stop the harm, and why the court should grant the plaintiff’s motions. If this were a federally funded research study on developing a treatment for a disease, it is this level of detail that must be provided in order to get approval from ethics review boards. If we require such justification of doctors doing risky medical research that can harm us, why should we not have to similarly justify risky actions we take to resolve infected computers? This is the kind of standard that is warranted in order to show defensible justification for taking risky and aggressive action, before such action is initiated.

While the actions that Microsoft has taken in using civil legal process are expensive, that does not mean Microsoft is the only entity who can do this. The computer security industry and computer security researchers often do a very poor job of explaining these same points about victims, harms, intended benefits, etc., in similar plain language that a judge, not just a computer scientist, can understand. The computer security industry and researchers have a lot to learn from the example provided in the documents filed by Microsoft and other plaintiffs with the courts. One of the hurdles is learning how to analyze the ethics of a specific case and writing an ethical justification, but we are all capable of learning from examples. [Full disclosure: I provided declarations to the court in support of two of Microsoft’s previous actions against Waledac and Rustock botnets, and previously did the same for the Federal Trade Commission.] Some have told me I am setting a high bar by suggesting this should be a standard. Yes, it is a high bar that means some hard work must be done. But if we as a community acting on behalf of protecting the public are going to “get aggressive” and “go on the offensive,” I don’t believe it is acceptable to say, “That’s too hard. We’re going forward with taking risks anyway, because we can and because we want to.” If we aren’t smart enough and capable enough of meeting this standard, we should find another field that does not involve the same risks. The court documents for the Zeus action can all be found at See also: Microsoft Joins Financial Services Industry to Disrupt Massive Zeus Cybercrime Operation That Fuels Worldwide Fraud and Identity Theft, Microsoft News Press Release Gary Warner’s blog about Operation b71 Microsoft Raids Tackle Internet Crime, New York Times article The long arm of Microsoft tries taking down Zeus botnets Video explaining Operation b71 Microsoft Leads Zeus Takedown: Collaborative Effort Targets Zeus Malware Botnets