ThreatPost reports that Microsoft is testing a new service to distribute information from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.
Microsoft expects to offer three realtime feeds, which third parties could access for free. Organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own. Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure. Companies could use the data to look for malware infections, or correlate data on botnet hosts with data on click fraud and other scams. CERTs might be interested in threats relevant to their region. Microsoft hopes this service will also help smaller organizations battle large, powerful, global botnets, lowering the cost of monitoring and responding to infections. The company wouldn’t give a timeline for the real time threat feed.
Despite the proliferation of “Bad Microsoft, just fix your code” comments on the ThreatPost site, I see this personally as the right track to take given the current state of things, and applaud the moxy Microsoft is showing in the battle against malware. Yes, Microsoft and EVERY other vendor needs to constantly improve their code and coding practices. Blah blah blah. What will NEVER happen is one day we will wake up and all code will be impervious to attack and exploitation. We have yet to perfect human creativity, and we are light years away from producing unflawed anything. Give it a rest.
My concerns with this I hope are addressed before Microsoft opens the feed-gates. How will the data that is captured from botnet command and control servers, and I suspect from data repositories associated with those C&Cs be managed? Will it be handed over intact, leaving anyone infected subject to their own personal wiki-leaks in reverse (Government gets your goodies), or will it be properly sanatized to protect individual privacy? How will this data cleansing be made transparent? I trust everybody at the table, as long as I can cut the cards and watch the deal…