Attacks/Breaches
3/26/2012
11:15 AM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Leads Zeus Botnet Server Shutdown

Microsoft, U.S. Marshals, and financial industry agents raid two Zeus botnet servers farms that stole more than $100 million and infected 13 million PCs with malware.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
For the second time in less than a year, Microsoft has helped bust a botnet.

On Friday, U.S. Marshals, together with representatives from Microsoft and two financial industry associations, seized Zeus botnet command-and-control (C&C) servers located at two hosting centers in Lombard, Ill., and Scranton, Pa. Microsoft said it also scuttled the two IP addresses that were associated with the servers, and said that it's continuing to monitor 800 domain names that were related to the C&C servers to help, in part, to identify the thousands of infected PCs.

The botnet takedowns occurred after Microsoft, together with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearinghouse Association (NACHA), filed a civil complaint--and successfully argued it--in the U.S. District Court for the Eastern District of New York. Microsoft said that security firms Kyrus Tech and F-Secure also provided information and analysis that helped with the takedowns.

[ Sometimes it is about money. Sometimes it isn't. Read When Hackers Want Much More Than Money. ]

The complaint, unsealed Friday, accused 39 "John Does" of "controlling computer botnets thereby injuring plaintiffs, and their customers and members." All told, the accused allegedly infected 13 million PCs with Zeus botnet software over a five-year period, allowing them to steal over $100 million. They're also accused of using the botnet to send massive quantities of spam. While the complaint named no real names, it listed as plaintiffs 65 nicknames associated with the 39 John Does, including Benny, Bentley, D frank, and Daniel Hamza, as well as Denis Lubimov, Lucky, Mr. ICQ, Noname, petr0vich, Veggi Roma, and the JabberZeus Crew.

"Some of these individuals are said to have written the Zeus or SpyEye code, others are said to have developed exploits which helped infect victims' computers. Others are said to be, or have recruited, money mules who laundered the proceeds of the criminal scheme," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

Many online criminals favor Zeus botnet software for stealing people's personal financial information, and both FS-ISAC and NACHA said in a statement that they joined the complaint precisely "because the botnet operators used Zeus to steal victims' online banking credentials and transfer stolen funds."

Saturday, Microsoft posted a legal notice--together with copies of all related court paperwork--warning defendants named in the complaint that they had just 21 days to file a "motion" or "answer" in the case, or they would automatically lose. Notably, Microsoft and the other plaintiffs are seeking not just a permanent injunction on the IP addresses used by the Zeus C&C servers, but also "other equitable relief and damages."

Last year, also using a civil complaint, Microsoft helped authorities to bust the Coreflood botnet. But last week's Zeus takedown marks the first time that Microsoft has helped dismantle multiple botnets at once.

"Because of the complexities of these targets, unlike Microsoft's previous botnet operations, the goal of this action was not to permanently shut down all impacted Zeus botnets," according to a statement released by Microsoft. "However, this action is expected to significantly impact the cybercriminals' operations and infrastructure, advance global efforts to help victims regain control of their infected computers, and also help further investigations against those responsible for the threat."

Another notable aspect of the case is that it's "the first time that Microsoft's legal team has used the Racketeer Influenced and Corrupt Organizations (RICO) Act as part of a botnet takedown. RICO is usually directed at "the mob" or more generally organized crime gangs--said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. "This is indeed a very useful legal move for Microsoft, because there are plenty more of ZeuS botnets out there," as well as gangs running them. The abuse.ch ZeuS Tracker, for example, Monday saw 359 Zeus C&C servers online.

But will the Zeus botnet server takedown really cut into cybercrime? "Ultimately, the most important thing will be to bring those who write the malware, sell the malware, buy the malware, or profit from its use to justice," said Cluley at Sophos. "Taking over Web servers is one thing, but unless the people behind the Zeus and other malware operations are brought to book, the crime is just going to continue."

The biggest threat to your company's most sensitive data may be the employee who has legitimate access to corporate databases but less-than-legitimate intentions. Follow our advice in our Defend Data From Malicious Insiders report to mitigate the risk. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/2/2012 | 3:40:56 AM
re: Microsoft Leads Zeus Botnet Server Shutdown
It's great that Microsoft is taking steps to help track down and bring an end to these sorts of organizations.

I would also like to see Microsoft do more to publicize what they're doing to help the end users protect themselves to keep these sorts of problems from getting any bigger, especially since Zeus supposedly only infects Windows systems.

An ounce of prevention is worth a pound of cure.

Andrew Hornback
InformationWeek Contributor
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/29/2012 | 2:23:52 AM
re: Microsoft Leads Zeus Botnet Server Shutdown
I agree with the comment at the end by Graham Cluley, but shutting down the servers and interrupting the money stream is the next best thing.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
EVVJSK
50%
50%
EVVJSK,
User Rank: Apprentice
3/27/2012 | 1:37:38 PM
re: Microsoft Leads Zeus Botnet Server Shutdown
Microsoft seems to be struggling in some areas to understand what customer want (Windows 8 and Windows Phone), but with respect to security and shutting down dangerous Malware, Viruses and Bots; Microsoft seems to have learned what is good for it's customers is also good for it ! I applaud Microsoft working to make the Internet a safer and better place.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.