The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


In our most aggressive botnet operation to date, the Microsoft Digital Crimes Unit worked with leaders of the financial services industry, other technology industry partners and the Federal Bureau of Investigation to disrupt a massive cyber threat responsible for stealing people’s online banking information and personal identities. With a court ordered civil seizure warrant from the U.S. District Court for the Western District of North Carolina, Microsoft executed a simultaneous operation to disrupt more than 1,400 Citadel botnets which are responsible for over half a billion dollars in losses to people and businesses worldwide.

Meanwhile, the FBI took coordinated separate steps related to the operation. This collaborative action – codenamed Operation b54 – is Microsoft’s seventh botnet operation to date and part of a growing proactive effort by both the public and private sector to fight cybercrime, help protect people and businesses from online fraud and identity theft, and enhance cloud security for everyone. This operation marks the first time that law enforcement and the private sector have worked together in this way to execute a civil seizure warrant as part of a botnet disruption operation.

As Reuters first reported, due to Citadel’s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware. However, we do expect that this action will significantly disrupt Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.

Similar to past botnet efforts, Microsoft will use the intelligence gained in Operation b54 to work with Internet Service Providers (ISPs) and Computer Emergency Response Teams (CERTs) around the world to quickly and efficiently clean as many computers as possible. Microsoft will be making this information available through its Cyber Threat Intelligence Program (C-TIP), including the recently-announced cloud-based version of the program. For computer owners worried that their computers might be infected, Microsoft offers free information and malware removal tools at http://support.microsoft.com/botnets. Additionally, the FBI provides information on its website about botnets to educate the public on how to protect themselves. Many financial services industry organizations also provide resources, tips and tools to individuals and companies on how to protect themselves.

Like many of our past operations, this investigation once again revealed how criminals are adapting and evolving their attack methods in order to continue to infect people’s computers with malware. For instance, during our investigation we found that Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer. However, with the disruptive action, victims should now be able to access these previously blocked sites. We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats. (Of note, Windows Vista, Windows 7 and Windows 8 have measures in place to help protect against this type of misuse of product keys.) This discovery showcases that, in addition to exercising safe online practices like running updated and legitimate software and using firewall and antivirus protection, people also need to use modern versions of Windows software to better prevent malware, fraud and identify theft.

Cooperation is the key to winning the fight against cybercrime, and I’m excited about the opportunity we had to work with law enforcement and the other partners involved in this operation and the impact of that cooperative effort. Operation b54 serves as a real world example of how public-private cooperation can work effectively within the judicial system, and how 20th century legal precedent and common law principles dating back hundreds of years can be effectively applied toward 21st century cybersecurity issues. Building on recent remarks from government leaders, including President Barack Obama, U.S. Senator Sheldon Whitehouse, Congressman Mike Rogers, and others calling for increased public-private cooperation to combat cyber threats, I look forward to similar cooperative efforts in the future as we continue our goal to fundamentally disrupt the cybercriminal ecosystem.

I’d like to thank the FBI, the U.S. Marshals, as well as all the financial and technology industry partners that we worked with on this operation, including the Financial Services – Information Sharing and Analysis Center (FS-ISAC), NACHA – The Electronic Payments Association, the American Bankers Association (ABA), Agari, A10 Networks and Nominum.

For more information on this operation and comment from others involved, please read our press release.

Meanwhile, this case and operation are ongoing, and we’ll continue to provide updates as they become available. To stay up-to-date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.