I'm sure Microsoft is keeping a very close eye on what they are actually doing. Run them in a virtual environment, see what they do to the environment and what internet communications they make. When it's done destroy the environment.
If it tried to do something like a DDoS it would be identified as doing so and marked as malware, end of test.
> I'm sure Microsoft is keeping a very close eye on what they are actually doing.
This seems like a questionable assumption. Microsoft is in the media for being "better" these days, but doing this at all seems like bad judgement. MSFT has lawyers to win a fair use case, I'll agree to that, but large corporations don't have a lot of incentive to minimize negative externalities, because of the lawyers and money for lawyers.
Oh c'mon. Microsoft takes security seriously and is genuinely trying to make sure Windows users aren't plagued with malware. And internally, Microsoft has a good track record of not having any data breeches.
Even with utter cynicism, "Microsoft hosts DOS attack on Apple" is such a disastrous headline that it's well worth avoiding, and that's before getting into any liability for botching something like this.
Perhaps it's not running the EXE but instead identifying URLs in the code, cURLing them to see what it gets, and doing so to verify what they get isn't malware?
The software in question (called Beacon) is designed to call home. The binary has built-in cryptographic keys and it sends traffic encrypted. The receiving end, called Home, receives these packets, decrypts it and verifies the sender and after that gives an alert.
The exe must have been running to be able to generate the proper encrypted payload and send it to right place. In this case ports 20 and 1025 over TCP.
Disclaimer: I am one of the people who wrote the software.
String obfuscation is trivial to do so I have a feeling they're actually running the binaries in order to do anything. Just a feeling, though- I don't think the author of the post stuck around long enough to see if the remote instance behaved as it should.
Maybe not DDoS - I doubt that MS allows that service to have that much throughput, but if you wanna try to get past someone's firewall rules, like the author points out - people may whitelist those particular IP's.
If it tried to do something like a DDoS it would be identified as doing so and marked as malware, end of test.