Home / Blogs

Senate Judiciary Committee Hearing on Botnet Takedowns (July 15, 2014)

Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks
Crime and Terrorism
Date: Tuesday, July 15, 2014 Add to my Calendar
Time: 02:30 PM
Location: Dirksen 226
Presiding: Senator Whitehouse (D-RI)

The background is of course quite interesting, given how soon it has followed Microsoft’s seizure of several domains belonging to Dynamic DNS provider no-ip.com for alleged complicity in hosting trojan RAT gangs, a couple of days after which the domains were subsequently returned—without public comment—to Vitalwerks, the operator of No-IP.

This is by no means a new tactic for Microsoft, who has carried out successful seizures of various domains over the past two or three years.

There was some initial criticism, including a CircleID post that I wrote, when they first began to do this back in 2012, with their seizure of Chinese dynamic DNS provider 3322.org, scant weeks before the 2012 WCIT in Dubai, mind you.

Back during l’affaire 3322 and since then, public criticism has mostly been muted—and mostly by some of the more outspoken individuals in the security community. Others evidently preferred that essential tool of diplomacy—a masterly silence.

Meanwhile, Microsoft continued with their strategy, taking down domains involved in Zeus and Citadel.

In both these cases, the domains seized were entirely malicious, solely used by the botnets and so their seizure disrupted maybe some researchers who were understandably upset, possibly (I wouldn’t know) other law enforcement around the world that might have been monitoring Zeus only to find their investigations rudely disrupted… but no collateral damage to John Q Public. So, more of the same muted criticism in public, fiercely opinionated conversations in private.

Back then, there were some concrete suggestions made—by Wout de Natris advocating public private cooperation in botnet takedowns on CircleID, and by the Honeynet Project, which developed a code of conduct on botnet takedowns.

Business as usual, so to speak, with Microsoft’s only response being to rebut such criticism as overblown, and making the reasonably valid case that the bot domains in question were genuine threats that were causing substantial harm to the general public while they were left up.

The no-ip seizure turned this situation around fast. There was massive collateral damage, much closer to home and with No-IP having a rather larger userbase than previous takedown targets in China or Europe.

The casualties of this friendly fire seizure included monitoring cams for seniors with dementia, internet connected alarm systems, online multiplayer games… that sort of thing, which ignited a firestorm of criticism, including in mainstream publications like Forbes, rather than just the IT industry trade press.

As I pointed out in my 2012 CircleID post, it occurred during the 3322 takeover as well, but that was all in far distant China, with nobody any local media knew being affected). In the case of No-IP, the collateral damage was immediate, hard hitting and easily visible.

This appears to have caused the tide to turn—and in record time.

Today, I saw a link to this Senate hearing, announced within days of the no-ip takedown and subsequent return.

Minutes later, I saw this other very interesting article, in which a Microsoft program manager admits to internal doubts about the efficacy of these takedowns for anything other than PR, and urges cooperation between Microsoft and the security community.

That is something I said in my 2012 CircleID post as well, and that is what several people whose opinion I respect have assured me—in personal mail, over drinks at a conference reception… but mostly if not always in a private conversation, so it is refreshing to see a public acknowledgement of this, and a good sign if such introspection is actually taking place at Microsoft.

The article says, and I quote,

Speaking in Boston at the 26th annual FIRST Conference, Holly Stewart, a Senior Program Manager at Microsoft gave a sober assessment of the software industry’s fight against cyber criminal groups and other malicious actors.

Despite some high profile take-down actions against botnets and prominent families of malicious software like Citadel, Zeus and SpyEye, the company sees the gains of such efforts as short lived. Take downs- often carried out in coordination with international law enforcement often had more value as public relations than anything else, Stewart said.

“We haven’t been able to scale enough to tip the malware problem,” Stewart told the audience.

I for one welcome our new co-operators. As Hamlet said in his soliloquy, ” ‘Tis a consummation. Devoutly to be wished”.

PS: All this is, like the disclaimer in my CircleID profile says, entirely my personal opinion and I’m, as always on CircleID, speaking only for myself.

By Suresh Ramasubramanian, Antispam Operations

Filed Under


Meanwhile, Facebook has carried out a textbook perfect botnet takedown Suresh Ramasubramanian  –  Jul 9, 2014 4:52 PM

International cooperation with providers and law enforcement across multiple countries. Arrests. A surgical takedown with what appears to be zero collateral damage.  On first sight this checks off every best practice in this area that I can think of, and is likely to prove rather more permanently effective

News of this takedown is fully worth your time spent reading it if you have anything at all to do with bot mitigation. And as it is fb, please do like and share it :).


And this is how it ends Suresh Ramasubramanian  –  Jul 10, 2014 2:40 AM

Lawsuit dropped. An interesting detail clarifying the original allegation when obtaining the TRO that vitalwerks did not respond to complaints.

They now state that they actually did not directly contact vitalwerks before obtaining the TRO because the company had not responded earlier to complaints from others.


Linkback - EFF's review of this situation Suresh Ramasubramanian  –  Jul 11, 2014 3:33 AM

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API