Together with my colleagues Jeff Williams and Holly Stewart from the Microsoft Malware Protection Center (MMPC) I am here at the 23rd Annual FIRST conference in Vienna, Austria this week.
FIRST is the Global Forum for Incident Response and Security Teams, an organization that aims to bring together computer security incident response teams from government, industry and education. FIRST is at the root of a number of standardization efforts in security, such as the Common Vulnerability Scoring System (CVSS). Its main strength, though, is that it offers incredible networking opportunities for people in the security community to find each other and collaborate on protecting internet users.
Microsoft is proud to be a Platinum sponsor of the FIRST conference, and looks forward to our continued collaboration with the valuable members of this community.
This week also marks the 3-month anniversary of an exciting project we embarked upon with many of the national incident response teams that are present here this week.
On March 17th, our colleagues at the Microsoft Digital Crimes Unit (DCU) publicly announced their successful effort to take down the notorious Rustock botnet. At the time, Rustock was estimated to have consisted of close to a million infected computers, and it was capable of sending billions of spam messages each day. These messages included advertisements for fake prescription medication, which can in some cases, be dangerous.
Microsoft has a great security group, but as a single company, we quickly realized that we would not be able to reach out to every infected customer worldwide. However, many countries have stood up Computer Security Incident Response Teams (CSIRTs), which are exactly intended to process this type of information and protect constituents. Over the last few months, we have worked with several of these organizations to further advance our joint goal of protecting and cleaning infected Rustock machines worldwide.
We would like to thank the following CSIRT partners for their contribution so far in this takedown effort:
ArCERT, ArgentinaCERT.AT, AustriaCert.BE, BelgiumCERT-BR, BrazilCERT-EE, EstoniaCERT-FI, FinlandCERT.LV, LatviaCERT-UA, UkraineCNCERT, ChinaFederal Office for Information Security (BSI), GermanyGovCERT.nl, The NetherlandsGovCertUK, United KingdomHKCERT, Hong KongINTECO CERT, SpainJPCERT/CC, JapanMYCERT, MalaysiaPISA CERT, PakistanPublic Safety Canada – CCIRC, CanadaCERT-SA, Saudi ArabiaThaiCERT, ThailandTwCERT/CC, TaiwanEach of these organizations has tirelessly worked with us over the last months to reach out to affected service providers and consumers in their constituency and ensure they were aware of tools that existed to remediate infected machines. In fact, they are part of a much larger group of organizations in the CSIRT community, some of which preferred to not be publicly called out for their efforts at this time. Microsoft values collaboration and the insights these organizations continue to provide to us on this significant challenge, which we are tackling, together.
Within the United States, Microsoft also works with a community of Internet Service Providers. In addition, anyone who owns a network range can subscribe to Smart Network Data Services (SNDS), which makes this information available to any legitimate network administrator.
If you would like to learn more about these and other efforts of Microsoft to clean the Internet of botnet activity, you can find more information at support.microsoft.com/botnets.
Maarten Van HorenbeeckSenior Program Manager, MSRC