Microsoft is continuing their unorthodox crusade against botnets and their operators, leveraging the power of the courts and circumventing law enforcement to a degree.
In March, Microsoft teamed with a cross-sector coalition of interested parties in instigating the legal and technological assault that resulted in the seizure of multiple command and control servers operating a massive Zeus Trojan botnet.
Microsoft was also instrumental in the Rustock botnet takedown. In February of 2011, Microsoft provided documentation that detailed the botnet's extensive structure in a federal court filing that was part of a lawsuit against a number of John Doe defendants.
Acting on the information Microsoft provided, federal marshals raided several internet hosting providers across the U.S. in March of 2011, seizing servers suspected of being used as Rustock command and control units.
Now the tech giant is seeking to force Email service providers to hand over details related to the identities of suspected botnet operators.
Brian Krebs reports that "Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint posted at zeuslegalnotice.com, which listed nicknames and other information tied to 39 separate “John Does” that Microsoft is seeking to identify."
The notification obtained by Krebs reads as follows:
Google has received a subpoena for information related to your Google account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v. John Does 1-39 et al., US District Court, Northern District of California, 1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).
To comply with the law, unless you provide us with a copy of a motion to quash the subpoena (or other formal objection filed in court) via email at firstname.lastname@example.org by 5pm Pacific Time on May 22, 2012, Google may provide responsive documents on this date.
For more information about the subpoena, you may wish to contact the party seeking this information at:
Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025
Google is not in a position to provide you with legal advice.
If you have other questions regarding the subpoena, we encourage you to contact your attorney.
“We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it," Krebs reported Google spokeswoman Christine Chen as stating.
While most would agree that criminal botnet operations represent a grave concern from a security perspective, some researchers who track the activities of online criminal organizations were dismayed that Microsoft would take it upon themselves to openly disclose what they consider to be confidential information.
"The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members)," Krebs previously reported.
The latest move to force Google and other email service providers has elicited further criticism form legal experts who question whether the company's actions may be hindering law enforcement's ability to properly investigate and bring the botnet operators up on criminal charges.
“I suspect this is a situation where Microsoft feels law enforcement isn’t moving quickly enough. But it also basically compromises law enforcement’s ability to do anything about the problem, and makes it possible for the suspects to evade any sort of law enforcement action,” Krebs quoted Marcia Hofman, a senior staff attorney with the Electronic Frontier Foundation, as stating.