Microsoft, Partners Lead Federal Raid on Zeus Botnet Ring

Microsoft has scored a significant victory in its war on cybercrime by disrupting a major ring whose use of malware has cost victims $477 million since 2005.

Escorted by U.S. Marshals, Microsoft and some of its key partners in the financial services and IT security industry on Friday raided two key sites of the operations spreading the Zeus family of malware.

The takedown of the command and control servers in Scranton, Pa. and Lombard, Ill. represent Microsoft's most complex botnet disruptions to date and the fourth high-profile seizure in the company's Project MARS (Microsoft Active Response for Security) initiative, according to Microsoft.

Banks and financial services firms have been targeting Zeus because of its ability to covertly seize the user names and passwords of unsuspecting victims through the use of keylogging. Keylogging is a technique that captures every keystroke, particularly user IDs and passwords, enabling criminals to use the stolen identities to make fraudulent purchases and move money out of bank accounts.

Zeus is a further threat to the financial services industry because its purveyors were selling kits that allowed criminals to establish their own command and control centers capable of spreading the Zeus botnets. Microsoft said it has discovered more than 13 million infections of the Zeus malware worldwide and 3 million in the United States.

Microsoft's Digital Crimes Unit (DCU) coordinated its effort with the Financial Services - Information Sharing and Analysis Center (FS-ISAC), NACHA - The Electronic Payments Association, and Kyrus Tech Inc.

Kyrus is a consultancy that conducts vulnerability research, incident response, digital forensics, penetration testing and security application development services, according to its Web site. It reverse-engineered the binaries tied to Zeus, the company said in a blog post that provides a detailed breakdown of how Kyrus analyzed the Zeus malware to determine its most dangerous components.

Friday's seizure of the two command and control centers caps a months-long investigation and legal process that resulted in Microsoft and its partners receiving a warrant after pleading its case before the U.S. District Court for the Eastern District of New York. Microsoft, FS-ISAC and NACHA filed the complaint on March 19 naming the defendants John Does 1-39. The plaintiffs applied the Racketeer Influenced and Corrupt Organizations (RICO) Act as the legal basis for its move to seize the Zeus facilities.

That legal maneuver was critical in helping press the group's effort in thwarting the sophisticated ring, said Richard Domingues Boscovich, a senior attorney in Microsoft's DCU, in a blog post.

"In criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets," Boscovich said. "By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the 'organization' were not necessarily part of the core enterprise."

Microsoft describes Zeus, known as the PWS:Win32/Zbot, as "a password-stealing trojan that monitors for visits to certain websites. It allows limited backdoor access and control and may terminate certain security-related processes." In early January, the FBI escalated the war on Zeus when a new variant of the botnet materialized in the form of e-mails that appeared to come from the National Automated Clearing House Association, the Federal Reserve Bank or the Federal Deposit Insurance Corporation (FDIC).

Friday's raid resulted in the capture of the most disruptive known iteration of the Zeus botnets, according to Boscovich, who said Microsoft will use the evidence seized to deliver remediations as well as continue its effort to shut down the overall operation and capture those involved.

Unlike the three prior botnet shutdowns orchestrated by Microsoft, Boscovich noted that the targets for Zeus were too complex to permanently eradicate. However, it disrupted the botnet's operations enough to reduce its threat with the goal of imposing significant and lasting damage to its organization.

Working under the code name "Operation b71," the team focused on botnets using Zeus, SpyEyse and Ice-IX variants of the malware, considered the most dangerous of the Trojans.

Paul Kocher, president of San Francisco-based Cryptography Research Inc., noted Microsoft has extended a significant campaign in fighting botnets and spam. "Anti-spam and anti-botnet efforts are the security world's analogue to superheroes rescuing people from burning high-rises," he said in an e-mail. That said, Kocher warned against presuming this is the end of such threats.

"Botnets are often multi-headed hydras, so the degree of impact from any given beheading can take a little while to become clear and may be limited. As a result, I view this as another step in a long messy battle, not a decisive victory," Kocher said.

"We don't expect this action to have wiped out every Zeus botnet operating in the world," Boscovich acknowledged. "However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.