Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:05 PM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail

How Microsoft & FS-ISAC Are Attacking Malware Threats

Microsoft is working to turn the tables on cybercriminals by seizing the infrastructure behind malware operations.



The cyberthreat landscape is growing more dangerous for banks, as last week's news about the JPMorgan Chase breach this past summer demonstrated. It's reasonable to expect investment in cyber security defenses to grow at many institutions to counter the increasing number of attacks. However, Microsoft is taking a different approach: It's taking down malware threats in conjunction with law enforcement. And Microsoft is now working with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to share information about malware attacks and infected IP addresses with the banking industry.

[For more on the JPMorgan breach: JPMorgan Chase Breach Impacts 76 Million Consumers]

Microsoft's Digital Crimes Unit has developed a legal process to take over the infrastructure behind malware attacks. It has already used that process to help take down the command and control of several high-profile threats, including the Shylock banking Trojan and the Citadel botnets, according to Richard Boscovich, assistant general counsel for Microsoft and senior attorney for the unit.

"We wanted to identify threats to our customers and systems and be proactive in defense, not just be reactive," Boscovich says.

He and his team use old English common laws that allow them to seize servers and infrastructure supporting specific malware operations. "These laws go back to farmers being able to reclaim their stolen cows."

Once it can get a seizure warrant, the Digital Crimes Unit can trace all the infected IP addresses associated with an attack. So far it has identified 67 million unique IP addresses infected by more than 200 distinct types of malware. All that threat information is stored in a database that Microsoft has built to share threat information for free with law enforcement and government organizations. "We want to eventually empty that database," Boscovich says.

Microsoft is now working with FS-ISAC to push the information from that database out to banks. "We're providing all of that information to FS-ISAC so they can share it with their member banks. Those banks can query our database in quasi-real-time and see if any transaction is originating from an infected IP address. By sharing this information, we think we can help further protect this ecosystem."

After it takes over the infrastructure behind a botnet or malware operation, Microsoft can coordinate with law enforcement agencies to trace an attack back to the criminals involved. Among its successes so far, the Digital Crimes Unit helped Interpol and the FBI take down the Shylock banking Trojan this year, and it helped take down the Rustock botnet in 2011. "Since we took down the Rustock botnet, the price of spam has never gone back up" to where it was, Boscovich says.

Additionally, Microsoft can let users of infected IP addresses know that they've been infected. "Nine out of 10 times, they have no idea" that they're infected. "It's a win-win for us because our bank customers' customers are usually also our customers."

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Copyright © 2018 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service