Listen: Sound Of Botnets Helps Microsoft Fight Cybercrime

Apr 8, 2015

Last week Europol’s European Cybercrime Center led the takedown of a network of computers controlled by cybercriminals. Microsoft played an important role, taking legal action that led to the seizure of servers in four countries — servers that were the command and control centers for millions of infected computers worldwide.

These armies of infected computers are known as botnets. They’re computers infected with malware that turns the devices against their owners to steal banking credentials and crash websites. It’s been a silent problem. Until now.

At Microsoft’s Cybercrime Center in Redmond, the silent zombie robot armies now have a voice. It’s a sound that instantly communicates the extent of the problem of cybercrime.

"Botnets want to live their invisible lives and not announce their existence,” said Ben Rubin, media artist at The Office for Creative Research, the data design house in New York that created the system for Microsoft.  “It’s literally all around us. You and I have probably passed by half a dozen computers today that are infected with botnets.”

The sound is first rhythmic. Computers trapped in botnets are programmed to be in constant contact with their control computers, asking for orders with robotic regularity.

“Although it doesn’t sound like it, what they’re effectively saying is, what bank account should I steal from?” said David Finn, director of the Cybercrime Center. “What banks should I drain people’s money from?”

What’s heard is only a fraction of the data pouring in from millions of computers, Finn said while standing in front of the system’s visual displays. “Every 30,000 times we get a signal, you get that sound. And every 150,000 times, the city name is called out. You’ll hear — just listen for a moment.”

Robotic voices announce cities large and small: Palo Alto. London. Lethbridge in Alberta.

“You’re hearing the different location of where the infections are coming from,” Finn said. “And London and Paris will have different kinds of crime, depending on what kinds of malware were more effective in different locations.”

The sounds coming from the system allow people to hear the infected computers: the slaves. But their masters remain silent, and they are what everyone is looking for. 

Microsoft gathers information for law enforcement on the malware infections targeting its own operating systems. Here in Microsoft’s evidence room they’re looking for the data trails that will show where the control centers used by the cybercriminals are.

“A lot of what happens here are what I would think of as the preliminary, behind-the-scenes, technological, in-the-trenches work that we then hand off to law enforcement, so that law enforcement can do what only it can do,” said Finn.

“What’s done is done brilliantly by Microsoft and I’ll say our Department of Justice,” said Joe Demarest, assistant director of the FBI’s Cyber Division in Washington, D.C. “They pursue legal process — civil injunctions — to order the company to stop doing what they’re doing.”

This means going to court to take over the IP address used by the criminals, and then breaking the connection between the cybercriminals and the zombie armies. This does not stop infected computers begging for orders every couple of seconds. But at least the danger to the user and others ends there.

In Redmond, David Finn focuses the controls on a botnet called Citadel. The botnet has been taken down, but millions of infected computers are still out there.

“We can also drill down — there are different families of Citadel. So let me just show you which is kind of a cool — again, using sound to show you how the cybercriminals operate. Again you can hear the infected machines touching us. You’re hearing it instead of seeing it.”

The stew of infections in New York has a signature honk.  The stew in Tokyo sounds almost like human voices. But what can sound really tell us about cybercrime?

Rubin, the designer, says the sound patterns “might prompt someone to ask a question or wonder about something that hadn’t previously been noticed before. Why are there all these hits coming in from this particular slice of the globe?”

Finn says that “we haven’t yet reached these eureka moments of insight yet.” Except for this one: Legions of infected computers are calling out, and finally we can hear them.

This story was published originally on March 5, 2015.