REDMOND, Wash. (3/28/12)--Botnets using Zeus malware to steal from online banking accounts suffered a lightning bolt hit after Microsoft and a coalition of financial industry players took coordinated, global, legal and technical actions last week to disrupt key Zeus botnet command and control servers responsible for the theft of hundreds of millions of dollars.
The action, against the worst known cybercrime operations, was carried out by Microsoft, the Financial Services--Information Sharing and Analysis Center (FS-ISAC) and NACHA, The Electronic Payments Association, with assistance from Kyrus Tech Inc. and F-secure, said the coalition in a press release Sunday.
Microsoft, FS-ISAC and NACHA filed a civil lawsuit in the U.S. District Court for the Eastern District of New York against 39 John Does and sought to conduct a coordinated seizure of command and control servers running some of the worst known Zeus botnets.
On Friday, escorted by U.S. Marshalls, Microsoft and the co-plaintiffs seized command and control servicers in two hosting locations--BurstNet of Scranton, Pa., and Continuum Data Centers, Lombard, Ill. (USA Today
March 26). They seized and preserved data and virtual evidence from the botnets for the court case and took down two Internet Protocol addresses behind the Zeus command and control structure.
Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.
The action is good news for credit unions and other financial institutions plagued with having to reissue debit and credit cards after data breaches by cybercriminal groups, but the problem is far from over. The actions taken last week caused major disruptions but the Zeus botnets are notorious for their complexity and adaptability, and for staying a step ahead of law enforcement. The key value of the actions taken is the information that the actions were able to gather about the criminal operations.
The coalition's action "disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.
Once a computer is infected with Zeus, the malware can monitor the victim's online activity and automatically start keylogging (recording every keystroke) when a victim types in the name of a financial institution or e-commerce site. The criminals then steal personal information for identity theft, to make fraudulent purchases or to access other private accounts.
Since 2007, Microsoft has detected more than 13 million suspected infections of the Zeus malware worldwide, including three million computers in the U.S. More than $100 million has been stolen in the U.S. the past five years (IDG-News-Service
March 26). Microsoft's lawsuit identifies 39 John Does, who use 65 online aliases. (PCWorld.com
March 25). Many are identified only by nickname in the suit.
This is the second time Microsoft has conducted physical seizures in a botnet operation, and the first time other organizations have joined as plaintiffs in a legal case on a botnet operation.
It also is the first operation for Microsoft that involved simultaneous disruption of multiple operating botnets in a single action and the first known time it has applied the Racketeer Influenced and Corrupt Organizations (RICO) Act in a consolidated civil case to charge the botnet users.
Unlike Microsoft's previous botnet seizures, the goal of this action was not to permanently shut down all impacted botnets, but to gather intelligence and to undermine the criminal infrastructure that relies on the botnets to make money. It also will provide new tools to fight the cybercrimes, said the coalition's press release.
The group also made these recommendations to computer users:
- Use safe practices such as running up-to-date and legitimate computer software, firewall protection and antivirus or antimalware protection.
- Use caution in surfing the Web and clicking on ads or e-mail attachments that may be malicious.
- Use free information and malware leaning tools if the computer is suspected to have a malware infection.(See the malware cleaning tools link.)
For businesses looking for information about corporate account takeovers, including those due to malicious software, use the link to a fraud advisory from FS-ISAC, the Federal Bureau of Investigation and the U.S. Secret Service.