Microsoft disrupts international cybercrime rings
02 July 2014, 08:23
Boston - Microsoft launched what it hopes will be the most successful private effort to date to crack down on cyber crime by moving to disrupt communications channels between hackers and infected PCs.
The operation, which began on Monday under an order issued by a federal court in Nevada, targeted traffic involving malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways and were written and distributed by developers in Kuwait and Algeria.
It is the first high-profile case involving malware written by developers outside of Eastern Europe, according to Richard Domingues Boscovich, assistant general counsel of Microsoft's cybercrime-fighting Digital Crimes Unit.
"We never seen malware coded outside Eastern Europe that is as big as this. This really demonstrates the globalisation of cybercrime," said Boscovich, whose team at Microsoft has disrupted nine other cybercrime operations over the past five years, all of which it believes originated in Eastern Europe.
He said it would take several days to determine how many machines were infected, but noted that the number could be very large because Microsoft's anti-virus software alone has detected some 7.4 million infections over the past year and is installed on less than 30% of the world's PCs.
Social media marketing
The malware has slick dashboards with point-and-click menus to execute functions such as viewing a computer screen in real time, recording keystrokes, stealing passwords and listening to conversations, according to documents filed in US District Court in Nevada on 19 June and unsealed on Monday.
The malicious software was purchased by at least 500 customers, who are identified in the court documents as John Does 1 to 500.
Boscovich said the developers blatantly marketed their malware over social media, including videos on Google's YouTube and a Facebook page. They posted instructional videos with techniques for infecting PCs, he said.
The court order allowed Microsoft to disrupt communications between infected machines and a Reno, Nevada, firm known as Vitalwerks Internet Solutions.
Boscovich said about 94% of all machines infected with the two viruses communicate with hackers through Vitalwerks servers. Criminals use Vitalwerks as an intermediary to make it more difficult for law enforcement to track them down, he said.
The court ordered the registries that direct internet communications to send suspected malicious traffic to Microsoft servers in Redmond, Washington, instead of letting it go on to Vitalwerks.
Vitalwerks spokesperson Natalie Goguen said she had no immediate comment.
In the operation that began on Monday, Boscovich said, Microsoft will filter out communications from PCs infected with another 194 types of malware that are also being filtered through Vitalwerks.
Microsoft has not accused Vitalwerks of involvement in any cybercrime, though it alleges that the company failed to take proper steps to prevent its system from being used for such activities.
"We just want them to clean up their act, to be more proactive in monitoring their service," Boscovich said in an interview.