Zeus sting – Microsoft strikes at heart of cybercrime botnet empire

26 Mar 2012

A consortium led by Microsoft has struck at the heart of the major cybercrime empire behind the Zeus and SpyEye botnets which have been stealing information for identity theft.

On Friday, Microsoft, in collaboration with the financial services industry, seized servers in Pennsylvania and Illinois and disrupted its activities.

The Zeus botnet is a piece of malware that once it infects a computer starts recording a user’s every keystroke to filter out information such as identity and passwords to gain access to bank accounts or e-commerce sites.

Since 2007, Microsoft says it has detected more than 13m suspected infections of the Zeus malware worldwide, including 3m computers in the US alone.

“With this action, we’ve disrupted a critical source of money making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims,” said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.

“The Microsoft Digital Crimes Unit has long been working to combat cybercrime operations, and today is a particularly important strike against cybercrime that we expect will be felt across the criminal underground for a long time to come.”

This disruption was made possible through a successful pleading before the U.S. District Court for the Eastern District of New York, which allowed Microsoft and its partners to conduct a co-ordinated seizure of command and control servers running some of the worst known Zeus botnets. Because the botnet operators used Zeus to steal victims’ online banking credentials and transfer stolen funds, FS-ISAC and NACHA joined Microsoft as plaintiffs in the civil suit, and Kyrus Tech Inc. served as a declarant in the case. Other organisations, including F-Secure, also provided supporting information for the case.

Physical seizure of botnet servers

Accompanied by US marshalls, Microsoft and its partners took down two internet protocol addresses behind the Zeus command and control structure, and Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.

This is the second time Microsoft has conducted physical seizures in a botnet operation, and it is the first time other organisations have joined Microsoft as plaintiffs in the legal case for a botnet operation.

Microsoft says it will use the intelligence gleaned from the seizure of the servers to help rescue people’s computers from the control of the Zeus botnet.

“As crimes against banks and their customers move from stickups to mouse clicks, we’re also using our own mouse clicks – as well as the law – to help protect consumers and businesses,” said Greg Garcia, a spokesperson for the three major financial industry associations that worked with Microsoft on this initiative.

“Disrupting the Zeus botnets is just one strike in our long-term commitment to help defend and protect people.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com