Microsoft Disrupts Massive Zeus Malware Ring
Working with partners in the financial services industry, Microsoft has spearheaded the seizure of several servers used to spread the infamous Zeus banking malware. The coordinated action is part of the software giant's push to disrupt the cybercrime infrastructure supporting worldwide fraud and identity theft.
In a press release issued yesterday (March 25), Microsoft reported that on March 23, United States marshals seized Zeus command-and-control servers in Scranton, Penn. and Lombard, Ill. Microsoft was also granted permission to take control of 800 domains used by the servers. The strike, "an unprecedented, proactive cross-industry action," Microsoft said, resulted in the takedown of two IP addresses used to facilitate the Zeus command-and-control structure.
A notorious bank-account-siphoning cyberweapon, the Zeus Trojan enables its perpetrators to log its victims' keystrokes on banking websites. In late 2010, 48 people were charged in the U.S and the U.K for their roles in using Zeus to defraud British banks of nearly $10 million. Microsoft said since 2007 it has detected more than 13 million suspected Zeus malware infections worldwide.
Microsoft's tactical strike will play a part in weakening the overall cybercrime landscape, the company believes.
"With this action, we've disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," Richard Boscovich, Microsoft's senior attorney for its Digital Crimes Unit, said. Boscovich called the seizures "a particularly important strike against cybercrime that we can expect will be felt across the criminal underground for a long time to come."
Along with the seizure orders, Microsoft and its partners filed summons with the U.S. District Court for the Eastern District of New York against 39 "John Does" believed to have a hand in Zeus' operation. Court documents also list more than 3,300 malicious domain names, across 35 registrars, identified as part of the overall Zeus infrastructure. The registrars are located across the globe, from Russia and Colombia to the U.K., Austria, the Netherlands, Iran and Italy.
"Of course, cybercrime is bigger than just 39 people," Rik Ferguson from the security firm Trend Micro wrote in his analysis of Microsoft's action. "But if nothing else, this indictment serves as a graphic illustration of the maturity of the criminal business model … let's hope that this continued focus and international cooperation across the security and law enforcement communities can eventually make a significant dent in their illegal operations."
Microsoft's partners in the Zeus disruption are the Financial Services — Information Sharing and Analysis Center (FS-ISAC), NACHA — The Electronic Payments Association and Kyrus Tech. Inc.
Though Zeus is as high-profile and dangerous as banking malware gets, Microsoft said the goal of the botnet seizures was not to put a permanent end to Zeus right now, but to "undermine the criminal infrastructure that relies on these botnets every day to make money." Microsoft said it hopes the disruption will help victims regain control of their infected computers, reduce the scope of the worldwide threat and move the investigations against Zeus' perpetrators further.