The long arm of Microsoft tries taking down Zeus botnets

Microsoft and its allies seized control servers Friday in two states as part of an operation to not just stop the botnets but also to disrupt how criminals use them.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
5 min read

Microsoft and financial services organizations, with an escort of U.S. Marshals, seized command-and-control servers Friday to take down botnets allegedly used to steal more than $100 million using an estimated 13 million computers infected with the Zeus malware.

After raids in Scranton, Pa., and Lombard, Ill., "some of the worst known Zeus botnets were disrupted by Microsoft and our partners worldwide," Microsoft announced Sunday night in a post by Richard Domingues Boscovich, senior attorney with Microsoft's Digital Crimes Unit.

The defendants allegedly installed the Zeus malware and close relatives called Ice-IX and SpyEye onto victims' computers, according to a lawsuit filed against the alleged Zeus botnet creators and operators last week. (See below for the full suit.) The botnet operators used the software to show fake or modified Web sites when victims tried to use real banking sites, log their keystrokes to capture victims' identity information, and then use that information to steal money from victims' accounts.

To take down the operation, Microsoft also took over Internet traffic that had been used to operate 3,357 botnets, according to the court's temporary restraining order. (See below for the temporary restraining order, in two parts.)

The seizure was made when the U.S. District Court for the Eastern District of New York blessed the operation after Microsoft and its partners filed a plea to seize the computers and sued 39 as-yet-unnamed defendants who bear nicknames such as Slavik, zebra7753, iceIX, Veggi Roma, susanneon, JabberZeus Crew, and h4x0rdz.

"The United States Marshals and their deputies shall be accompanied by plaintiffs' attorneys and forensic experts a the foregoing described seizure, to assist with identifying, inventorying, taking possession of, and isolating defendant's' computer resources, command and control software, and other software components that are seized," the court's seizure order stated. It also said the U.S. Marshals would preserve up to four hours of Internet traffic before disconnecting the computers from the Internet.

Microsoft has made similar moves before, but this was the first time others were involved: joining company's Digital Crimes Unit were the Information Sharing and Analysis Center (FS-ISAC), a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, which operates the ACH system for electronic funds transfer. In addition, Kyrus Tech supported Microsoft's case.

The Zeus family of malware takes runs in the background of an infected computer, logging keystrokes so criminals can transfer money out of bank accounts, make purchases with others' money, and engage in identity theft, Microsoft said. Command-and-control computers run networks of infected machines called botnets, and Microsoft and its partners seized what they say are servers that handle this command operation.

Fourth botnet takedown
Microsoft has made similar moves with the Waledac, Rustock, and Kelihos botets. But this operation was different, and not just because other partners were involved, Microsoft said.

This screenshot, shown in a Microsoft declaration, shows an alleged Zeus botnet command-and-control server's control panel with a list of screenshots containing victims' login credential information.
This screenshot, shown in a Microsoft declaration, shows an alleged Zeus botnet command-and-control server's control panel with a list of screenshots containing victims' login credential information. Mark Debenham, senior manager of investigations in Microsoft's Digital Crimes Unit

"Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets," Microsoft said. "Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain."

And disrupting that operation is a potentially big deal: Microsoft estimates there are 13 million computers infected with Zeus and its variants, 3 million of them in the United States.

"Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets," Microsoft said. "These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit."

Microsoft and its partners accused the defendants of violating the Computer Fraud and Abuse Act, violating the the CAN-SPAM Act, violating the Electronic Communications Privacy Act, various trademark-related claims relating to the Lanham Act, and violations of the Racketeer Influenced and Corrupt Organizations Act (RICO).

The partners involved in the suit include FS-ISAC, a trade organization with 4,400 members such as banks, credit unions, brokerage firms, insurance companies, and payment processors. NACHA, meanwhile, operates the Automated Clearing House (ACH) network used to transfer money among financial institutions.

Operation b71
Microsoft's case, with the code name Operation b71, took months to investigate. Many of its details are laid out in the lawsuit.

The Zeus malware also goes under the name Ice-IX and SpyEye. Microsoft said John Doe 1, who goes by the name Slavik, Monstr, IOO, and Nu11, is the creator. John Doe 2, aka zebra 7753, lexa_mef, gss, and iceIX, created a Zeus family member called Ice-IX, Microsoft said, and John Doe 3, aka Harderman and Gribodemon, created another family member called SpyEye, the complaint said.

John Doe 5, aka miami and miamibc, John Doe 9, aka Kusunagi, and John Doe 38, aka jheto2002, are other developers involved, writing "Web inject" code that gets the malware onto victims' computers, the complaint said. Some other defendants also were involved in developing the software.

John Doe 4, aka Aqua, aquaSecond, percent, cp01, and other aliases, recruits "money mules" whose job it is to travel to different countries to create bogus bank accounts into which victims' money is transferred. Several of the other John Does are these money mules. John Does 23 and 24, aka jtk and Veggi Roma, respectively, also recruited money mules, the lawsuit said.

Microsoft's lawsuit shows the locations of Zeus botnets in the Eastern District of New York, where Microsoft and its allies filed their lawsuit.
Microsoft's lawsuit shows the locations of Zeus botnets in the Eastern District of New York, where Microsoft and its allies filed their lawsuit. Microsoft court filing

Many of the other defendants purchased and used the Zeus family of malware, the lawsuit said.

The Zeus software first emerged in 2007, with the formerly independent SpyEye software merging in October 2010 and Ice-IX arriving in May 2011 with extra antivirus-avoiding features, the suit said. John Does 1, 2, and 3 sold the software in "builder kits."

"The Zeus Racketeering Enterprise"
All the John Does form what the lawsuit calls "the Zeus Racketeering Enterprise."

"The Zeus Racketeering Enterprise has existed since at least October of 2010, when John Doe 1 and John Doe 3 merged their respective botnet operations into a single, consolidated global credential-stealing botnet. John Doe 2 joined and began participating in the Zeus Enterprise at an unknown date prior to fall of 2011. Other Defendants identified as John Does 4-39 joined and began participating in the Zeus Enterprise at various times thereafter," the suit said.

The group gets its software onto computers by sending malicious spam e-mails purporting to be requests to update bank information, download IRS tax statements, read electronic greeting cards, and otherwise click a link to a malware site.

Infected computers in the botnet are used to send such spam, the suit said--and there's lots of it. "At one point in August 2011, such spam emails infringing NACHA's trademarks were as high as 167 million emails in a 24 hour period. By contrast, the normal volume for authentic outbound email messages from NACHA is only 1,500 emails per day," the suit said.

An infected machine loads banking Web site templates from malware sites; those templates can be used to add extra that inserts new data-gathering fields into online banking forms. Botnet operators therefore can discover victims' ATM codes, social security numbers, mothers' maiden names, and other data the victims' real banks might not actually seek, the lawsuit said.

Updated at 12:31 a.m. and 1:38 a.m. PT with further details from the lawsuit.

Microsoft complaint against Zeus botnet operators Zeus botnet TRO Seizure Order Part 2