Microsoft Seizes ZeuS Servers in Anti-Botnet Rampage

Microsoft continued its war on botnets last week with a raid that involved seizing servers controlling millions of zombie computers caught in the spell of the ZeuS malware.

Under a court order, Microsoft employees, accompanied by agents from the U.S. Marshals Service, raided two web hosting companies in Pennsylvania and Illinois on Friday, disabling web servers used as command-and-control centers for the botnets and seizing some 800 web addresses that allowed cybercriminals to infect computers in order to steal banking credentials and siphon money from victims’ accounts.

Microsoft said that the botnets had been used to steal more than $100 million from victims since 2007.

The takedown came after Microsoft filed a civil suit against 39 unnamed parties seeking permission to sever the command-and-control servers behind the ZeuS botnets.

The software giant, in conjunction with the Financial Services–Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association, invoked the Racketeer Influenced and Corrupt Organizations (RICO) Act to convince a judge that the botnets were structured and managed like traditional organized crime gangs. The plaintiffs also claimed that phishing emails the criminals used to spread their malware infringed on their trademarks and intellectual property, since some of the phishing attacks were designed to impersonate communications from Microsoft.

The novel civil action was fostered by Richard Boscovich, a former federal prosecutor who is now a senior lawyer in Microsoft’s digital crimes unit. The action is intended to supplement the activities of law enforcement agencies, whose investigations often take years to complete and seldom result in substantial disruption to criminal activities.

It’s not the first time Microsoft has attempted to take down botnets. The company previously attacked three other botnets — Waledac, Rustock and Kelihos — through similar civil suits that allowed the company to seize web addresses and associated computers. The gains from such takedowns, however, are generally short-lived. After Waledac was targeted, the criminals behind it simply altered their software to thwart easy detection and launched a new botnet.

Microsoft said in a statement that its goal in the ZeuS takedown was not to obtain a permanent shutdown of the botnets but simply to strategically disrupt their operation. By increasing the cost of running botnets, Microsoft said it hoped to cause long-term damage to the cybercriminal organizations behind them.

“We equate this to a neighborhood watch,” Boscovich told the New York Times.

The months-long investigation, codenamed Operation b71, focused on botnets using ZeuS, SpyEye and Ice-IX variants of the ZeuS family of malware, which authorities say have infected more than 13 million computers worldwide and are responsible for nearly half a billion dollars in fraudulent activity and damages.

The criminals behind the botnets spammed victims with phishing emails that lured them into clicking on links for malicious web sites where malware based on the Zeus botnet would infect their machines.

The malware would log keystrokes to monitor an infected user’s online activity and gain access to usernames and passwords in order to steal their identity, withdraw money from their bank accounts and make online purchases. The malware would automatically begin keylogging when an infected user typed in the name of a financial institution or e-commerce web site into the browser bar.

“We don’t expect this action to have wiped out every ZeuS botnet operating in the world,” Microsoft said in a statement. “However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely.”