Microsoft strikes at Zeus botnets

Microsoft Zeus botnet structure

Microsoft has struck again at malware operators and cybercriminals, this time raiding data centers in Pennsylvania and Illinois to seize command and control servers and domain names allegedly used to control multiple Zeus botnets. Microsoft coordinated the raid in a manner similar to the company’s successful takedown of the Rustok botnet a year ago, quietly obtaining a federal warrant on the basis of civil suits against the botnet operators, then moving swiftly to take down servers and domain names hosting the operations. However, there are new twists this time: Microsoft used the RICO anti-racketeering laws to go after the botnet operations, and for the first time it partnered with other organizations (including Kyrus Tech, the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and the NACHA – The Electronic Payments Association) to pull off the takedown.

“With this action, we’ve disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims,” said Microsoft’s Digital Crimes Unit senior attorney Richard Boscovich, in a statement.

The Zeus malware is not new, but it has been one of the most successful malware operations to date. Microsoft says it has detected up to 13 million Zeus infections since 2007, with over 3 million infected systems in the United States. Zeus typically spreads via drive-by phishing scams: botnet operators send spam messages that look to be alerts from financial institutions or other organizations warning users they need to take immediate action to protect their accounts. Once users click the link, they’re taken to a site that attempts to exploit security holes in users browsers and/or operating systems to install malware. Once installed, Zeus can monitor the online activity of an infected computer, down to keystroke logging: when a user connects to their band or an e-commerce site, their credentials are nabbed and sent along to the botnet operators, who then use the account details to commit fraud — or sell the information upstream to folks who will.

Microsoft was able to conduct the seizures through a successful pleading before the U.S. District Court for the Eastern District of New York, giving the company a federal warrant to perform a coordinated seizure of systems escorted by U.S. Marshals. Microsoft says the seized systems and domains represent “some of the worst known Zeus botnets;” however, it’s important to note that plenty of other Zeus operations are still out there: consumers shouldn’t let down their guards. That said, Microsoft believes the move will “significantly impact the cybercriminals’ operations and infrastructure.”

The takedown marks the first time Microsoft has used RICO to go after botnet operators — and may be the first time RICO has been applied to to consolidate civil cases against botnet operators. (The civil cases are initially based on trademark law: those fake phishing email use trademarks from Microsoft and other organizations). It’s also the first time Microsoft has targeted multiple botnets with a single action, and the first time other plaintiffs have joined in one of Microsoft’s takedowns.