Threat Intelligence, Malware, Vulnerability Management

Microsoft zaps Zeus command centers used in bank fraud

Microsoft has cast a big blow to one of the most pernicious trojans in existence, responsible for stealing tens of millions of dollars through the keystroke logging of online banking credentials, usually belonging to small and midsize businesses.

The software giant announced late Sunday night that, as part of a coordinated effort with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association, it has dismantled prominent hubs that provided instructions to machines infected with Zeus and related malware families, including SpyEye.

On Friday, U.S. Marshals led the raid on hosting locations in Scranton, Pa. and Lombard, Ill., where they confiscated command-and-control (C&C) servers and took down two key IP addresses in the process. In addition, as a result of the seizure, Microsoft assumed control of some 800 domains involved with the servers, a process known as sinkholing.

Dave Dittrich, a senior security engineer at the University of Washington in Seattle who has assisted Microsoft in other botnet investigations, said the domains likely were used to infect users, serve as "drop zones" for stolen information or provide source code for the malware. And if Microsoft happens to take control of a legitimate website that was compromised, the company will work with internet service providers "to make sure we bring them back online," Greg Garcia, a security strategy consultant who advised the operation, told

Codenamed "Operation b71," the bust relied on obtaining warrants through a lawsuit filed March 19 in U.S. District Court in Brooklyn against 39 "John Does" -- the complaint lists only their online aliases – who are believed responsible for running the C&C servers. Interestingly, in the suit, Microsoft applied the Racketeer Influenced and Corrupt Organizations (RICO) Act, a federal law that extends penalties for those involved in organized crime.

"By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the 'organization' were not necessarily part of the core enterprise," wrote Richard Boscovich, senior attorney with the Microsoft Digital Crimes Unit, in a blog post.

Security experts have long considered Zeus to be a criminal enterprise, and Microsoft said it has detected 13 million infections worldwide, with more than three million just in the United States. In addition, opportunistic criminals should have no problems finding exploit toolkits that can be used to fire off the Zeus trojan, especially after its source code was leaked last year. The kits sell for anywhere between $700 to $15,000 on the black market.

"[It is] a highly distributed botnet capability, which makes it hard to track and attribute," Garcia, who served as assistant secretary for cyber security at the U.S. Department of Homeland Security from 2006 to 2008, said.

This is the fourth time Microsoft has taken legal action against the purveyors of botnets. In the past, the company has been successful in taking down or disrupting the Waledac, Rustock and Kelihos networks of zombie computers.

But Zeus is different than traditional bots that are used to deliver spam or launch distributed denial-of-service attacks, Dittrich said.

"It's lots and lots of small botnets," he explained. "The activity is not to make all of [the infected machines] do something at once. The activity is to sift through these compromised accounts and tell me which has high-value accounts that I can exploit."

Dittrich said he suspects the authors of Zeus are located in Eastern Europe, and that the seizure of these two prominent C&C servers and corresponding IP addresses may help authorities get closer to arresting the masterminds.

But some security experts believe Zeus will be a tough knock-out.

On Monday, security researcher Aviv Raff tweeted: "Most [of the 800 under Microsoft's control] are old domains, and it's a drop in the ocean in general."

But Boscovich said the operation netted some major players.

"We don't expect this action to have wiped out every Zeus botnet operating in the world," he wrote. "However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for some time."

Garcia said it may be impossible to entirely kill off Zeus because of the agility of criminals. But, he said, the takedown should send a strong message.

"I think the signal should be loud and heard by criminals that they cannot continue this with impunity," Garcia said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.