Microsoft has taken legal action to disrupt several Zeus botnet operations, seizing two known U.S.-based command-and-control servers at the heart of the financial malware’s operations.
Our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.
Richard Domingues Boscovich, senior attorney, Microsoft Digital Crimes Unit
The action against the Zeus Trojan was undertaken Friday by Microsoft’s Digital Crimes Unit, in collaboration with two industry groups, the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA, the Electronic Payments Association that manages the financial industry’s ACH Network. Microsoft took legal action in U.S. District Court for the Eastern District of New York and was granted the immediate seizure of Zeus command-and-control servers in Scranton, Penn. and Lombard, Ill., which Microsoft says are believed to be used by cybercriminals to run some of the most harmful Zeus botnets that plague the financial industry.
“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” wrote Richard Domingues Boscovich, a senior attorney with the Microsoft Digital Crimes Unit, in a blog entry announcing the legal action against Zeus. “Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely.”
Boscovich said that while it won’t completely wipe out Zeus, it will give security researchers the ability to learn more about the cybercriminal network running Zeus as well as their tactics used to gather stolen data and funnel money into their coffers. A team of researchers from security firm Kyrus Tech Inc. was also involved in the legal action. Kyrus conducted the Zeus malware analysis to identify commonalities in the malicious code.
Microsoft versus botnet operators
Microsoft has named a Russian programmer as the one who wrote the malicious Kelihos code used to create a small botnet that peddled spam and child pornography.
Federal judge grants Microsoft the ability to shut down hundreds of domain names tied to the Waledac botnet.
Microsoft is trying to use its financial clout to bolster its investigation into who may be behind the notorious Rustock spambot.
Boscovich said Microsoft focused on botnets using the Zeus, SpyEye and Ice-IX variants of the Zeus family of financial malware. “Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain,” he wrote.
The Zeus malware contains a keylogger, which can record keystrokes. The cybercriminals then analyze the stolen keystrokes to steal account credentials and then withdraw money from bank accounts and make online purchases. Experts say it’s been a difficult, longstanding problem to address for the financial industry because the cybercriminals log in with the correct account credentials. Technologies have focused on detecting anomalous customer behavior, such as unusual log-in times or locations.
The Zeus and SpyEye exploit kits have created a complicated and tangled network of operators who set up their own Zeus botnets and sit back to let automated attacks steal the account credentials. Boscovich said Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone.
Microsoft has been taking legal action to disrupt botnet operators. It disrupted the Waledac botnet in 2010, but a year later, security experts say the botnet, which steals email account credentials, was showing a resurgence.
Spambots were also caught in Microsoft’s crosshairs. In September, Microsoft took out the Kelihos spam botnet and last March the company took out the Rustock spam botnet, taking legal action with pharmaceutical giant Pfizer to gain information about how the botnet worked. Rustock had an estimated one million infected computers operating under its control.