Threat Intelligence, Vulnerability Management

Microsoft names two Zeus defendants in civil action

Microsoft has named two of the 39 defendants it is suing for their alleged role in operating the Zeus botnet.

According to an amended civil complaint filed last week in U.S. District Court in Brooklyn, Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as defendants. The other defendants remain listed as "John Does."

The identification of the pair shouldn't come as a surprise considering Ukrainians Kulibaba and Konovalenko were among 19 people charged in London in 2010 with being members of the Zeus gang. The duo, who were ringleaders, currently are serving prison time in the U.K.

Richard Boscovich, a senior attorney with the Microsoft Digital Crimes Unit, said in a Monday blog post that he hopes the software giant's latest information will provide additional firepower for the FBI.

"Our hope is that the evidence we provided to the FBI in this case will lead to a criminal investigation that brings the perpetrators to justice," he wrote.

Microsoft announced in March that, as part of a coordinated effort with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association, it has dismantled prominent hubs that provided instructions to machines infected with Zeus and related malware families, including SpyEye.

U.S. Marshals led the raid on hosting locations in Scranton, Pa. and Lombard, Ill., where they confiscated command-and-control (C&C) servers and took down two key IP addresses in the process. In addition, as a result of the seizure, Microsoft assumed control of some 800 domains involved with the servers, a process known as sinkholing.

Codenamed "Operation b71," the bust relied on obtaining warrants through the aforementioned lawsuit, which was filed against those who are believed responsible for running the Zeus C&C servers. Interestingly, in the suit, Microsoft applied the Racketeer Influenced and Corrupt Organizations (RICO) Act, a federal law that extends penalties for those involved in organized crime.

"By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the 'organization' were not necessarily part of the core enterprise," Boscovich wrote in a separate blog post at the time.

He said Monday that Zeus' C&C infrastructure remains offline, and this appears to be having a major effect. Zeus infection rates, by IP address, have dropped from about 780,000 at the end of March to roughly 336,000 as of June 23, though new variants of the data-stealing trojan continue to persist.

In addition, fewer zombie computers means there has been a precipitous drop in phishing emails. Boscovich referenced Microsoft's co-plaintiff, NACHA - The Electronic Payments Association, which has reported a 90 percent reduction in people receiving fraudulent emails that claim to come from it. NACHA manages the Automated Clearing House (ACH) money transfer network, which commonly has been used by hackers in banking heists.

"As Microsoft and our partners explained in March, Operation b71 is just one step in an ongoing campaign to undermine the Zeus cybercriminal organization and help identify those responsible for this dangerous threat," Boscovich wrote.

Security experts have long considered Zeus to be a criminal enterprise, and Microsoft said it has detected 13 million infections worldwide, with more than three million just in the United States. In addition, opportunistic criminals should have no problems finding exploit toolkits that can be used to fire off the Zeus trojan, especially after its source code was leaked last year. The kits sell for anywhere between $700 to $15,000 on the black market.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.