Building a safe internet... together!


Maarten Van Horenbeeck

Senior Program Manager

Slicing covert channels, foraging in remote memory pools, and setting off page faults

The crackling sound of crypto breaking, warm vodka martni

Hi everyone,

Together with my colleagues Jeff Williams and Holly Stewart from the Microsoft Malware Protection Center (MMPC) I am here at the 23rd Annual FIRST conference in Vienna, Austria this week.

FIRST is the Global Forum for Incident Response and Security Teams, an organization that aims to bring together computer security incident response teams from government, industry and education. FIRST is at the root of a number of standardization efforts in security, such as the Common Vulnerability Scoring System (CVSS). Its main strength, though, is that it offers incredible networking opportunities for people in the security community to find each other and collaborate on protecting internet users.

Microsoft is proud to be a Platinum sponsor of the FIRST conference, and looks forward to our continued collaboration with the valuable members of this community.

This week also marks the 3-month anniversary of an exciting project we embarked upon with many of the national incident response teams that are present here this week.

On March 17th, our colleagues at the Microsoft Digital Crimes Unit (DCU) publicly announced their successful effort to take down the notorious Rustock botnet. At the time, Rustock was estimated to have consisted of close to a million infected computers, and it was capable of sending billions of spam messages each day. These messages included advertisements for fake prescription medication, which can in some cases, be dangerous.

Microsoft has a great security group, but as a single company, we quickly realized that we would not be able to reach out to every infected customer worldwide. However, many countries have stood up Computer Security Incident Response Teams (CSIRTs), which are exactly intended to process this type of information and protect constituents. Over the last few months, we have worked with several of these organizations to further advance our joint goal of protecting and cleaning infected Rustock machines worldwide.

We would like to thank the following CSIRT partners for their contribution so far in this takedown effort:

ArCERT, Argentina
CERT.AT, Austria
Cert.BE, Belgium
CERT-BR, Brazil
CERT-EE, Estonia
CERT-FI, Finland
CERT.LV, Latvia
CERT-UA, Ukraine
Federal Office for Information Security (BSI), Germany, The Netherlands
GovCertUK, United KingdomHKCERT, Hong Kong
MYCERT, Malaysia
PISA CERT, Pakistan
Public Safety Canada – CCIRC, Canada
CERT-SA, Saudi Arabia
ThaiCERT, Thailand
TwCERT/CC, Taiwan

Each of these organizations has tirelessly worked with us over the last months to reach out to affected service providers and consumers in their constituency and ensure they were aware of tools that existed to remediate infected machines. In fact, they are part of a much larger group of organizations in the CSIRT community, some of which preferred to not be publicly called out for their efforts at this time. Microsoft values collaboration and the insights these organizations continue to provide to us on this significant challenge, which we are tackling, together.

Within the United States, Microsoft also works with a community of Internet Service Providers. In addition, anyone who owns a network range can subscribe to Smart Network Data Services (SNDS), which makes this information available to any legitimate network administrator.

If you would like to learn more about these and other efforts of Microsoft to clean the Internet of botnet activity, you can find more information at


Maarten Van Horenbeeck
Senior Program Manager, MSRC