Microsoft Conducts More Raids to Stop Criminals Behind Botnets

April 6, 2012

An article in the New York Times outlines the latest counterattack by Microsoft and law enforcement agencies as they work to shut down what the article calls “one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.”

Congratulations to Microsoft for their dedication to helping all internet users have a safer, more trusted experience.

As this raid highlights, the often heard desire to blame some rogue country for facilitating online crime, or at least to blame an underdeveloped country for failing to maintain proper oversight of their internet traffic, is unwarranted. This week’s sweep targeted command and control servers in Scranton, Pennsylvania and Lombard, Illinois. How banal is that?

Heading up the initiative from Microsoft was Richard Domingues Boscovich, senior attorney in Microsoft’s Digital Crimes Unit on the official Microsoft. Here are excerpts from the company’s official blog:

“As you may have read, after a months-long investigation, successful pleading before the US District Court for the Eastern District of New York and a coordinated seizure of command and control servers in Scranton, Pennsylvania and Lombard, Illinois, some of the worst known Zeus botnets were disrupted by Microsoft and our partners worldwide.

Valuable evidence and intelligence gained in the operation will be used both to help rescue peoples’ computers from the control of Zeus, as well as in an ongoing effort to undermine the cybercriminal organization and help identify those responsible.

Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages. Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.”

This is the fourth high-profile takedown operation in Microsoft’s Project MARS (Microsoft Active Response for Security) initiative – a joint effort between DCU, Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to disrupt botnets and begin to undo the damage they cause by helping victims regain control of their infected computers. As with our prior takedowns, Microsoft will use intelligence gained from this operation to partner with Internet service providers (ISPs) and Community Emergency Response Teams (CERTs) around the world to work to rescue peoples’ computers from Zeus’ control. This intelligence will help quickly reduce the size of the threat that each of these botnets pose, and make the Internet safer for consumers and businesses worldwide.”

You play a role in online security

Are you contributing to the botnet problem? If any of the following statements sound familiar, you are a botnet risk.

  • Your anti-virus and anti-malware tools haven’t been updated since you bought your computer.
  • You’ve ignored those pesky popups telling you that your computer, browser, or programs need updating to get the latest security fixes installed.
  • You love chain emails, and answering survey’s and quizzes.
  • You respond to spammers asking them to stop spamming you.
  • You trust links you come across in emails, Twitter & Facebook and in online ads.
  • You don’t know a phish from a fish, a worm from a grub, or what a botnet is.

4 simple steps can make all the difference in your level of security protection – and in the protection of the whole internet

  1. Start by ensuring your computers are up-to-date with all available patches, fixes, and upgrades.
  2. Then confirm your browsers are up-to-date with all available patches, fixes, and upgrades.
  3. Next, check to see that your security software is up-to-date with all available patches, fixes, and upgrades.
  4. Now, strengthen your spam filters, and smarten up about spam so you don’t click on malicious links.

Learn more about how to protect yourself and your devices in these blogs:

Are You Sure Your PC is Malware Free??

Are You a Malware Magnet? 4 simple steps can make all the difference

Every 3 Seconds an Identity is Stolen – Don’t Be Next

Need help understanding botnets?

See my blogs What are Bots, Zombies, and Botnets? And  McAfee Infographic Makes Botnets Understandable.

Here’s a quick illustration to get you started…

Note: I was a Microsoft Employee for 13 years, until the fall of 2006. I have written both positive and less favorable articles on Microsoft, but hold an abiding respect for the company’s ongoing commitment to security and to providing a responsible, trustworthy environment for consumers.



New Online Safety Lesson: Online Hate Crimes: Are you part of the solution or part of the problem?

March 21, 2012

The 14th installment in the lesson series I’m writing on behalf of iKeepSafe, looks at taking a stand against hate crimes and content groups on the internet.

The vast majority of people in every country oppose hate, hate groups, and hate crimes. Unfortunately however, the number of hate groups around the world is increasing. In the U.S. hate groups have surged by 54% since 2000 when there were 602 hate groups, to 1,018 official hate groups in 2011.

The rise in hate groups isn’t just an American problem; Germany, South Africa, France, Britain, and other countries also struggle with rapidly expanding numbers of hate groups.

To see and use this lesson, the companion presentation, professional development materials, and parent tips click here: Online Hate Crimes: Are you part of the solution or part of the problem?


New Online Safety Lesson: Connecting Technology Across Generations

February 17, 2012

The 11th installment in the lesson series I’m writing on behalf of iKeepSafe, focuses on leveraging the internet to connect generations.

Who says technology is hurting interpersonal relationships? New research shows that the “computer generation” no longer encompasses just the teens who grew up with technology. Seniors are migrating online like never before, which offers new channels for communication between the generations.

Whether texting, Skyping, Facebooking or emailing, seniors and youth have much to gain from each other. Read further for some surprising statistics on how seniors are increasingly embracing current technologies and finding new ways to communicate with their grandchildren and other youth. And, don’t miss out on tips to help deepen interaction between younger and older generations.

To see and use this lesson, the companion presentation, professional development materials, and parent tips click here: Connecting Technology Across Generations 


Responding to Spam Volumes, Hotmail Adds “My Friend’s been Hacked” Feature

July 21, 2011

Sending spam from legitimate user’s email accounts has become rampant as spammers switch from using botnets. This week alone, I’ve received spam sent via my mother’s and two friend’s email accounts – and received frantic calls asking how to fix the problem. Read more on fixing the problem later in this blog.

To address the nearly 30% of Hotmail generated through compromised accounts, Microsoft has launched a new feature in Hotmail. Called “my friend’s been hacked” and found under the “Mark as” dropdown, a simple click allows friends to report compromised accounts directly to Hotmail.

Microsoft’s Dick Craddock explains that “when you report that your friend’s account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked. It turns out that the report that comes from you can be one of the strongest “signals” to the detection engine, since you may be the first to notice the compromise.”

Once Hotmail has marked the account as compromised, two steps are taken:

  • The account can no longer be used by the spammer
  • You (or your compromised friend) are put through an account recovery flow that helps them take back control of their account.

What’s really cool about the work the Hotmail team has done is that it can be used to report problems with accounts hosted by other email providers as well. So for example, Yahoo! or Gmail receives a notice from Hotmail if one of their user’s accounts has been compromised and can take action.

Additionally, the Hotmail team has recognized that weak passwords are a large part of the problem – it’s just too easy for spammers to hack flimsy passwords. To address this, the service will soon roll out a new feature requiring stronger passwords. If you’re currently using a common password, you may be asked to strengthen it in the future.

Changing spam tactics

The takedown of the Rustock botnet dealt a telling blow to spammers and dropped spam volumes by almost 30% overnight (see Kudos to MSFT for Strangling the Rustock Spambot) and highlights a vulnerability in the botnet approach. Not only did spammers have to pay to rent the botnets, their distribution method could be shut off in one well-researched swoop.

A report out this month by Commtouch explains this shift in tactics sayingThe move away from botnet spam can be attributed to the use of IP reputation mechanisms that have been increasingly successful in blacklisting zombie IP addresses and therefore blocking botnet spam.

The blocking of spam from compromised accounts based on IP address is more difficult for many anti-spam technologies, since these accounts exist within whitelisted IP address ranges (such as Hotmail or Gmail).

One of the primary aims of the larger malware outbreaks and phishing attacks of this quarter is therefore to acquire enough compromised accounts to make spamming viable. The catch for spammers: While spam from compromised accounts is less likely to get blocked by IP reputation systems, the volumes that can be sent are lower due to the thresholds imposed on these accounts. This at least partially accounts for the lower spam volumes seen this quarter.”

What to do if your email account is hacked

  1. Check your security. Most hackers collect passwords using malware that has been installed on your computer or mobile phone. Be sure your anti-virus and anti-malware programs are up to date.  Also be sure that any operating system updates are installed. See my blog Are You a Malware Magnet? 4 simple steps can make all the difference
  2. Change your password and make it stronger after your anti-virus and anti-malware programs are updated. Learn how to create stronger passwords in my blog Safe passwords don’t have to be hard to create; just hard to guess.
  3. Practice greater safety online.
    1. Learn to spot spam and scams
    2. Secure your home’s wireless network
    3. Avoid logging into accounts when using public wireless networks – you don’t know if these are safe or compromised. See my blog Like Lambs to the Slaughter? Firesheep Lets Anyone be a Hacker
    4. Validate the legitimacy of any program/game/app before downloading it.  See my blogs Windows Getting Safer, but Study Finds that 1 of Every 14 Programs Downloaded is Later Confirmed as Malware


Kudos to MSFT for Strangling the Rustock Spambot

March 27, 2011

Microsoft’s Digital Crime Unit announced the takedown of one of the world’s largest bot networks that leveraged “approximately a million infected computers” and was capable of sending up to 30 billion spam emails per day.  Researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes – a rate of 240,000 spam mails per day.

These scams included fake Microsoft lottery scams, but it appears that the bulk of the spam sent via this botnet focused on advertising counterfeit or unapproved knock-off versions of pharmaceuticals.

The Rustock spambot was officially taken offline yesterday after a federal investigation into the criminal operators behind the bot ended. The investigation began as a result of Microsoft suing the spammers. (Don’t know what as bot is? Read my post What are Bots, Zombies, and Botnets?)

Here is an excerpt from Microsoft’s blog post:

Botnets are known to be the tool of choice for cybercriminals to conduct a variety of online attacks, using the power of thousands of malware-infected computers around the world to send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising and much more. This particular botnet is no exception.

….Spam is annoying and it can advertise potentially dangerous or illegal products. It is also significant as a symptom of greater threats to Internet health. Although Rustock’s primary use appears to have been to send spam, it’s important to note that a large botnet can be used for almost any cybercrime a bot-herder can dream up. Botnets are powerful and, with a simple command, can be switched from a spambot to a password thief or DDOS attacker.

Again, DCU’s research shows there may be close to 1 million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer’s owner even aware that his computer has been hijacked. Bot-herders infect computers with malware in a number of ways, such as when a computer owner visits a website booby-trapped with malware and clicks on a malicious advertisement or opens an infected e-mail attachment. Bot-herders do this so discretely that owners often never suspect their PC is living a double life.

It’s like a gang setting up a drug den in someone’s home while they’re on vacation and coming back to do so every time the owner leaves the house, without the owner ever knowing anything is happening. Home owners can better protect themselves with good locks on their doors and security systems for their homes. Similarly, computer owners can be better protected from malware if they run up-to-date software – including up-to-date antivirus and antimalware software – on their computers.

Finally, we encourage every computer owner to make sure their machine isn’t doing a criminal’s dirty work. If you believe your computer may be infected by Rustock or other type of malware, we encourage you to visit for free information and resources to clean your computer.

What this means to you

You must protect your internet connected devices. Unlike your toaster, the internet is not a plug-it-in-and-go experience.

  • It requires installing, or turning on security software onto your devices – and then setting the software to auto-update so it keeps your safety level current.
  • It requires creating strong passwords to log-in to the computer.
  • It requires ensuring any WiFi connection is password protected.
  • It requires changing passwords periodically
  • It requires getting educated on how to avoid scams, spam, and protect your privacy.

It also requires that you step up to your civic duty of protecting others. An infected device is the digital equivalent of Typhoid Mary – you may not intend to send infected documents, or be part of a botnet spewing spam and scams, contributing to denial of service attacks, or spreading viruses, but if you haven’t taken security precautions to keep your devices clean, you are part of the problem.


Internet Safety Calendar Is Popular Download

October 25, 2010

Thousands of consumers have downloaded the iLOOKBOTHWAYS Internet Safety Calendar since its launch less than a month ago.

Sponsored by Microsoft, the calendar offers actionable online safety tips for you and your family has been featured in TV, print, and radio shows and is now featured on The Windows Club website.

The calendar sends you a reminder at the beginning of each month to help you take action on important online safety issues.

Using the calendar, you will learn how to:

  • Protect yourself from identity theft
  • Talk about cyberbullying with kids
  • Shop online more safely
  • Protect your information when you are traveling.

LOOKBOTHWAYS is an Internet safety technology company that provides products, consulting, and information about online safety.

The company provides the iLOOKBOTHWAYS website as a benefit to consumers.

LOOKBOTHWAYS also has a foundation that develops Internet safety courses for elementary through high school students that will be available free of charge. The first lessons will be ready for use in early 2011.


Microsoft Sponsors New Internet Safety Calendar App by LOOKBOTHWAYS

September 22, 2010

Microsoft has sponsored the creation of a new, free, Internet Safety Calendar application, that consumers can download to their Internet Explorer browser (Note: only IE is supported at this time).

To access the new Internet Safety Calendar application, go to Microsoft’s

Built by LOOKBOTHWAYS, the calendar provides relevant monthly advice to help you increase your online safety whether you’re looking out for your own safety, or you are a parent watching over your family’s safety. The calendar also includes reminders for recurring those safety actions you know you should be doing, but that frequently get forgotten in the rush of day-to-day activities.

Each month, the calendar will send you a note reminding you to check the calendar for important online safety advice, but you can also view the app at any time by selecting Online Safety Calendar under the Tools menu.

Here’s a view of the Online Safety Calendar application, and September’s content for parents:

It’s easy to improve your safety with just a few simple actions each month.