Jump to content

Microsoft Digital Crimes Unit

Coordinates: 47°38′23″N 122°7′42″W / 47.63972°N 122.12833°W / 47.63972; -122.12833
From Wikipedia, the free encyclopedia
Microsoft Digital Crimes Unit
AbbreviationDCU
PurposeAn international legal and technical team of attorneys, investigators, and forensic analysts, with expertise across the areas of malware, botnets, IP crimes, and technology-facilitated child exploitation
HeadquartersMicrosoft Redmond Campus
Location
Coordinates47°38′23″N 122°7′42″W / 47.63972°N 122.12833°W / 47.63972; -122.12833
Region served
Worldwide
Parent organization
Microsoft

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington.[1] There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers.[1] The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C.[2] The DCU's main focuses are child protection, copyright infringement and malware crimes.[1][2] The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.[1]

Areas of emphasis

[edit]

There are three areas on which the DCU concentrates:[3]

Trespass to Chattel

[edit]

Trespass to Chattel is a legal term for how the Microsoft Digital Crimes Unit takes down its cyber criminals. Chattel is old English for cattle, which was considered to be valuable property to the owner. Essentially meaning that any property that is not land is referred to as chattel or "cattle". When spam or malware infects a user's computer or network that is considered to be "trespass to chattel" because they are trespassing on the user's property. The cybercrime is that the criminal has trespassed on the user's computer or network because they are responsible for the spam or malware they intended to harm the user with. The DCU's legal team has to pursue the cyber criminal in court using these old legal doctrines and laws to charge them with the crime of trespassing.[1]

The Botnet

[edit]

A botnet is a network of compromised computer (Zombies) that are controlled without the user's knowledge. These are usually used to do repetitive tasks such as spam but can also be used for distributing malware and Distributed Denial of Service(DDOS) attacks. These botnets are controlled by a single criminal or a network of criminals.[4] The Microsoft Digital Crimes Unit is constantly hunting down Botnet networks that are used for these tasks. The DCU has dealt with botnets for spamming, key-logging and data ransom. The DCU has also taken down botnets such as Citadel, Rustock, and Zeus. It is an everyday fight for the DCU to continue to locate new threats from botnets and take them down.[5]

Takedown of the Rustock Botnet

[edit]

On March 18, 2011, the Microsoft Digital Crimes Unit took down the Rustock Botnet. The Rustock botnet was responsible for over half of the spam worldwide sent to users and had controlled over 1 million computers. This spam had viruses attached to the emails and some were phishing emails. Microsoft with the help of the U.S. Marshals got warrants to seize the identified local command-and-control servers and do analysis on them. The DCU and U.S. marshals raided the servers located in Chicago, Columbus, Dallas, Denver, Kansas City, Scranton, and Seattle. After the DCU had seized the servers and terminated them the entire world had a large decrease in spam. Since then there has been no spam from the Rustock Botnet.[6][7]

Takedown of the Zeus Botnet

[edit]

On March 25, 2012, the Microsoft Digital Crimes Unit took down the Zeus Botnet. This investigation was also known as Operation b71. The Zeus botnet is responsible for stealing more than $100 Million from over 13 million infected computers. The botnet was installed on the user's computer from pirated versions of Windows or hidden through a download online. The Zeus botnet works by waiting for the user of the computer to open a web browser and attempt to do some banking or online shopping then show a similar looking webpage with a field to enter the login information. The login information is then sent to a Zeus server and the criminal can access the user's accounts. The DCU, accompanied by U.S. Marshals, shut down the botnet by raiding two command-and-control server facilities located Scranton, Pennsylvania and Lombard, Illinois. From there the DCU made a case to prosecute 39 unnamed cyber criminals who were responsible for this botnet by accessing the servers and retrieving the stolen data. After this botnet was shut down the starter code has since been sold on the black market to make other variations of this botnet such as Citadel and many more. Therefore, the Zeus botnet code itself is still active and has evolved.[8]

Takedown of the Citadel Botnet

[edit]

On June 6, 2013, the Microsoft Digital Crimes Unit took down the Citadel botnet's 1000 servers. The Citadel botnet had infected an estimated 5 million computers using a key-logging program to steal the information. Citadel is responsible for stealing at least $500 million from online personal bank accounts in over 80 countries. They stole from banks such as American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo. The Citadel code emerged from the cybercrime kit known as Zeus which is sold as a starter code on the black market for thousands. The creators of Citadel are unknown but the DCU has prepared a large amount of charges to prosecute them. The DCU has since then helped users update their systems to get rid of the malware that may still be on their computers but is inactive.[9]

Actions against the ZeroAccess botnet

[edit]

On December 5, 2013, the Microsoft Digital Crimes Unit, the FBI, Europol, and other industry partners attempted to disrupt the ZeroAccess botnet.[10] Although the efforts took down 18 hosts that were part of the ZeroAccess command and control network, because of the peer-to-peer nature of the botnet, ZeroAccess remains active.[11]

See also

[edit]

References

[edit]
  1. ^ a b c d e "Inside Microsoft's Digital Crimes Unit - Small Business Trends". smallbiztrends.com. 19 April 2015. Retrieved 2018-10-22.
  2. ^ a b "Microsoft Launches Cybercrime Center - InformationWeek". InformationWeek. Retrieved 2018-10-22.
  3. ^ "Microsoft Digital Crimes Unit". microsoft.com. Redmond, WA: Microsoft. Retrieved 2013-11-15.
  4. ^ Lerner, Zach (Fall 2014). "Microsoft The Botnet Hunter: The Role of Public-Private Partnerships in Mitigating Botnets" (PDF). Harvard Journal of Law & Technology. 28: 237–261.
  5. ^ Greene, Tim. "Inside Microsoft botnet takedowns". Network World. Retrieved 2018-10-22.
  6. ^ Wilson, Dean (18 March 2011). "Microsoft was behind the Rustock botnet takedown". The Inquirer. Archived from the original on March 21, 2011. Retrieved 2018-10-22.{{cite news}}: CS1 maint: unfit URL (link)
  7. ^ Raywood, Dan (18 March 2011). "Microsoft confirms takedown of Rustock botnet". SC Media. Retrieved 2018-10-22.
  8. ^ "The long arm of Microsoft tries taking down Zeus botnets". CNET. 2012-03-25. Retrieved 2018-10-22.
  9. ^ "FBI and Microsoft hit theft botnet". BBC News. 2013-06-06. Retrieved 2018-10-22.
  10. ^ Stewart, Christopher S.; Marr, Merissa (2013-12-05). "Microsoft Takes Action Against Alleged Ad-Fraud 'Botnet' ZeroAccess". online.wsj.com. New York, NY: The Wall Street Journal). Retrieved 2013-12-07.
  11. ^ Gallagher, Sean (2013-12-06). "Microsoft disrupts botnet that generated $2.7M per month for operators; Update: researchers say not all C&C servers seized, and P2P makes takedown moot". arstechnica.com. New York, NY: Condé Nast. Retrieved 2013-12-07.
[edit]