By Joseph Menn
REDMOND, Washington (Reuters) - The maker of the most popular computer operating system in the world is launching a new strategy against criminal hackers by bringing together security engineers, digital forensics experts and lawyers trained in fighting software pirates under one roof at its new Cybercrime Center.
Microsoft Corp's expanded Digital Crimes Unit inside the 16,800-square foot, high-security facility combines a wide array of tactics that have worked the best: massive data gathering and analysis, gumshoe detective work, high-level diplomacy and creative lawyering.
The new approach, to be launched on Thursday, is the latest attempt to close the gap created in the past decade as criminal hackers innovated in technology and business methods to stay ahead of adversaries mired in the slow-moving world of international law enforcement.
Already, many of the biggest victories against organized online criminals have come when private companies have worked together to seize control of the networks of hacked computers, called botnets, that carry out criminal operations. Though it is at times derided for the security shortfalls in its own products, Microsoft has led more of those seizures than any other company.
"Cybercrime is getting worse," Digital Crimes Unit chief David Finn told Reuters during an exclusive visit to the Redmond, Washington, campus building this week. But Finn hopes that by mixing specialists from various professional arenas, Microsoft can get better.
The center features a lab for dissecting malicious software samples that is accessible only with fingerprint authorization. In another room, a monitor tracks the countries and Internet service providers with the greatest number of machines belonging to some of the worst botnets.
Next to a situation room with a wall-sized, touch-screen monitor sit rows of empty offices for visiting police, Microsoft customers or other allies expected to join specific missions for days or weeks at a time.
There are hundreds or thousands of botnets, and Microsoft is trying to get only the biggest or most damaging, or else to pursue fights that would establish key precedents.
In the past few years "at least half of the major, significant takedowns have been driven by Microsoft," said Steve Santorelli, a former Microsoft investigator and Scotland Yard cybercrime detective who now works at a security nonprofit group called Team Cymru.
Microsoft has tangled with a Mexican mafia family that proudly put brand labels on pirated Xbox game CDs, a ring that took online payments via a parking garage in Malaga, Spain, and a Russian virus writer paid with a paper bag full of cash -- by a 12-year-old boy on a bike.
Outside security experts praised the cross-pollination of fraud, security and software specialists.
"That kind of integration is only for the better. The financial sector has been thinking along those lines as well," said Greg Garcia, a former cybersecurity official at the Department of Homeland Security and at Bank of America who now advises the banking industry's main cybersecurity coordination group, known as FS-ISAC.
The crimes unit doesn't tackle government spying, where Microsoft is among the major Internet companies that have turned over large amounts of data on users to the U.S. National Security Agency (it is suing for the right to disclose how much). And another unit within Microsoft is in charge of making the company's products less susceptible to hacking.
PIRACY SQUAD PROTECTS WINDOWS
About 80 of the crime unit's 100 staffers have focused on the piracy of Microsoft products, with far fewer devoted to deconstructing the methods of criminals attacking Microsoft users and stopping them when possible.
But time and again, the piracy squad has found counterfeiters who were using botnets that also sent spam or attacked websites with denial-of-service attacks, or who slipped malicious software into copied Microsoft wares, or who had other ties to broader security issues.
In one test, undercover Microsoft employees bought 20 new computers in China the way average consumers would. All had pirated versions of Windows, and all had at least traces of malicious software. An expanded pool of 169 machines included 18 percent ready to receive electronic commands as part of a botnet called Nitol.
More critically, the piracy people bring experience with unusually powerful U.S. copyright laws. With a strong preliminary showing in court that their goods are being misrepresented, copyright owners can win orders allowing them to seize the offending property without prior notice.
In an innovative and aggressive twist, Microsoft has been using that law to seize website addresses, including those used by criminals to control botnets.
"Microsoft really has done a very positive job in a couple of areas, and one of those is construction of legal frameworks that create precedents that allow future actions," said Jeff Williams, head of security strategy at Dell Inc's SecureWorks Counter Threat Unit.
The Nitol case was remarkable in that it and other botnets were connecting to 70,000 addresses at a Chinese web domain-name seller called 3322.org. Microsoft won the right to filter all connections to those addresses and blocked more than 7 million attempts in 16 days. The owner of 3322 agreed to settle Microsoft's lawsuit and to drop other bad addresses identified by Microsoft or Chinese Internet security officials in the future.
Microsoft also felled a botnet called Rustock, once one of the biggest sources of spam on the planet. More recently, it teamed with banks to seriously hurt two operations that sell do-it-yourself kits for crafting smaller botnets that have stolen hundreds of millions of dollars from online accounts.
The takedowns are often dramatic, with armed raids on multiple locations where servers are housed. If there are many control computers and they don't get disconnected within minutes of one another, the surviving machines can issue new commands and recreate the entire network.
During one raid in Pennsylvania, an executive at the bad web page's hosting company was cooperating when the site's owner realized what was happening and changed his password from afar, locking out the official. The Microsoft team pulled out the cables to save the day.
Finn and Microsoft crime expert Richard Boscovich, a fellow former federal prosecutor, said they are working on new means to take down even more sophisticated botnets, which are controlled through a peer-to-peer mechanism instead of through centralized servers.
"You'll be seeing some interesting stuff in the near future," Boscovich promised. "This is an area where what is good for the business is good for society."
(Reporting by Joseph Menn)