Microsoft botnet-hunting tool helps bust hackers

Botnet fighters have another tool in their arsenal, thanks to Microsoft. The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows.

Although Microsoft is reluctant to give out details on its botnet buster -- the company said that even revealing its name could give cyber criminals a clue on how to thwart it -- company executives discussed it at a closed door conference held for law enforcement professionals Monday. The tool includes data and software that helps law enforcers get a better picture of the data being provided by Microsoft's users, said Tim Cranton, associate general counsel with Microsoft's World Wide Internet Safety Programs. "I think of it ... as botnet intelligence," he said.

Microsoft security experts analyze samples of malicious code to capture a snapshot of what is happening on the botnet network, which can then be used by law enforcers, Cranton said. "They can actually get into the software code and say, 'Here's information on how it's being controlled.'"

Botnets are networks of hacked computers that can be used, almost like a supercomputer, to send spam or attack servers on the Internet. They have been on Microsoft's radar for about four years, ever since the company identified them as a significant emerging threat. In fact, the software vendor has held seven closed-door botnet conferences for law enforcement officials over the years, including an inaugural event in Lyon, France, hosted by Interpol, Cranton said.

Microsoft had not previously talked about its botnet tool, but it turns out that it was used by police in Canada to make a high-profile bust earlier this year.

In February, the Sûreté du Québec used Microsoft's botnet-buster to break up a network that had infected nearly 500,000 computers in 110 countries, according to Captain Frederick Gaudreau, who heads up the provincial police force's cybercrime unit.

The case illustrates how useful Microsoft's software and data can be.

After monitoring hacker chat rooms and interviewing sources, Quebec police had suspects in their case. But what they didn't have was a clear link showing who was actually controlling the botnets. Because botnets usually get their instructions from other hacked computers, it can be hard to connect the dots in a case like this. "We knew that those people were really active and what we needed to really charge them was to do deeper intelligence, and to know how they were using those botnets," he said.

Sûreté du Québec officers had heard about Microsoft's tool in at a 2006 Microsoft law enforcement conference. A few months later, they decided to give it a try.

Analysis by Microsoft's software allowed investigators to identify which IP address was being used to operate the botnet, Gaudreau said. And that cracked the case.

Building up this kind of case sometimes can involve staying on top of network traffic and malicious software over a long period of time, said Paul Ferguson, a network architect with anti-virus vendor Trend Micro who works with law enforcement on similar cases.

This is an area where companies can really help out with criminal investigations, he added. "We need to see a lot more cooperation between law enforcement and private industry," Ferguson said. "Law enforcement is ill-equipped to handle the global scale and the sheer volume of the threats."

According to Gaudreau, he'd still be stalking his botnet hackers if not for Microsoft. "If we hadn't had that tool it would have maybe taken two years more to do the investigation," he said.