Microsoft, Financial Partners Seize Servers Used In Zeus Botnets

Most Zeus operations still untouched, but a noticeable dip in Zeus botnet activity spotted by one botnet-monitoring organization
Microsoft's court filings included the online aliases for the 39 John Does, which are Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits, and the JabberZeus Crew.

"Some of these individuals are said to have written the Zeus or SpyEye code, others are said to have developed exploits which helped infect victims' computers. Others are said to have be, or have recruited, money mules who laundered the proceeds of the criminal scheme," Cluley blogged today. "Ultimately, the most important thing will be to bring those who write the malware, sell the malware, buy the malware, or profit from its use to justice. Taking over web servers is one thing, but unless the people behind the Zeus and other malware operations are brought to book, the crime is just going to continue."

Meanwhile, Microsoft said in its announcement of the Zeus case that it has seen more than 13 million suspected Zeus infections worldwide, 3 million of which are U.S.-based computers. "Microsoft researchers found that once a computer is infected with Zeus, the malware automatically starts keylogging when a person types in the name of a financial or e-commerce institution, allowing criminals to gain access to people’s online accounts from that point forward," Microsoft's Boscovich said in a blog post revealing Operation b71. "Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit."

Microsoft filed the initial civil suit on March 19 against the 39 "John Does" under the Racketeer Influenced and Corrupt Organizations (RICO) Act. "By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the 'organization' were not necessarily part of the core enterprise," Boscovich said.

"Valuable evidence and intelligence gained in the operation will be used both to help rescue peoples’ computers from the control of Zeus, as well as in an ongoing effort to undermine the cybercriminal organization and help identify those responsible," he said.

In a website video posted today about the operation, Microsoft's Boscovic says, "The message is clear: If you target our customers, if you target our platforms, we are going to target you."

[ After finishing off Rustock, software giant says it has neutralized Kelihos. See Microsoft Claims Another Botnet Takedown. ]

This is the fourth anti-botnet operation led by Microsoft. The software giant also spearheaded takedowns of the Waledac, Rustock, and Kelihos botnets.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.