Microsoft, U.S. Marshals Raid Zeus Botnet
By Barry Levine / CIO Today. Updated March 26, 2012.
Microsoft has taken Zeus down. That's Zeus, as in the botnet that has infected as many as 13 million computers worldwide. On Sunday, the software giant announced that, working with the financial services industry and U.S. marshals, it has successfully conducted a global action against the cybercriminal organization.
The company said that it collaborated with the Financial Services-Information Sharing and Analysis Center (FS-ISAC), NACHA (the Electronic Payments Association), and Kyrus Tech. The partners said that any computer infected with Zeus malware can monitor all online activity and record every keystroke, which has led to banking fraud and theft, among other possible crimes.
First Use of RICO
Following a successful pleading before the U.S. District Court for the Eastern District of New York, Microsoft and its partners, with warrants in hand, conducted a series of raids on command and control servers running some of the biggest Zeus botnets.
On March 23, representatives of Microsoft and its partners, accompanied by U.S. Marshals, seized servers in two hosting locations, one in Scranton, Pa., and the other in Lombard, Ill. The raids netted evidentiary data and brought down two IP addresses behind Zeus. The company said that it did not believe the hosting facilities it raided were part of the criminal enterprise, but that the hosting companies were simply renting computer space.
Microsoft also said it was currently monitoring about 800 domains it obtained in the raids, in order to identify additional computers that might have been Zeus-infected.
Although this is the second time Microsoft has been involved in a physical seizure of a botnet, it is the first time that other organizations have joined it as plaintiffs in the accompanying legal case. It is also the first time for coordinated raids, and for the inaugural use of the RICO (Racketeer Influenced and Corrupt Organizations) Act against a botnet.
As successful as the raids were, the partners said the actions were not expected to permanently shut down all Zeus botnets, but to "significantly impact the cybercriminals' operations and infrastructure," as well as help victims regain control of their computers.
Zeus software is sold for prices ranging from $700 to $15,000, depending on the level of code customization or customer support. Microsoft has said it believes the software originates from Eastern Europe. Botnets are networks of computers that have been hijacked for criminal use, with the infection often resulting from users downloading attachments in e-mails that look like they come from legitimate sources.
Microsoft's effort to combat cybercrime is led by a former federal prosecutor, Richard Boscovich, who now works in the company's digital crimes unit.
Online fraud and malware directed at Windows and other Microsoft products have an impact on the company's reputation, so the company has stepped up its anti-malware efforts in recent years. Microsoft has said that it does not see its new aggressiveness as replacing traditional law enforcement, but complementing it.