Microsoft has gone after another botnet, this time targeting some of the command-and-control infrastructure behind the Zeus network with a takedown effort that included seizing two IP addresses used for C&C servers and filing suit against 39 unnamed defendants. The action against Zeus is the latest in a string of such moves by Microsoft and some of its partners against the operators of botnets such as Kelihos and Waledac.
Zeus is one of the more widespread and well-known pieces of malware to appear in the last five years and is among the new breed of tools that’s sold in various forms to anyone who can pay the freight. The Zeus kit enables an attacker to monitor a user’s actions on a compromised machine, steal credentials for online banking or other valuable sites and then rack up huge profits. Like other major botnets operating right now, the Zeus network is not one botnet but dozens and dozens of individual networks operated by various criminals around the world.
Microsoft’s anti-Zeus operation resulted in the takedown of two C&C servers that are used in the global Zeus network, but the company’s officials say they have no illusions that this move will cripple the entire Zeus system.
“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims,” Richard Domingues Boscovich, a senior attorney in Microsoft’s Digital Crimes Unit, wrote in an analysis of the Zeus botnet takedown.
Last Monday, Microsoft filed suit in the Eastern District of New York against the unnamed defendants, saying that they, using various aliases and handles, had operated the Zeus botnet. The company, along with the National Automated Clearing House Association, asked the court for permission to cut off the C&C infrastructure of Zeus and also asked that the case be temporarily sealed in order to preserve the element of surprise against the suspects. The court granted both requests, and on Friday officials from Microsoft, NACHA and the Financial Services Information Sharing Analysis Center went with U.S. Marshals to execute the seizure of the servers.
“On March 23, Microsoft, FS-ISAC and NACHA – escorted by the U.S. Marshals – successfully executed a coordinated physical seizure of command and control servers in two hosting locations to seize and preserve valuable data and virtual evidence from the botnets for the case. We took down two IP addresses behind the Zeus ‘command and control’ structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers,” Boscovich said.
The botnets affected by the Zeus takedown action include some running the Ice-IX and SpyEye variants of the malware. The Zeus codebase has forked and evolved over time and some features of the once-competitive SpyEye toolkit were included in some versions recently.
In an interesting twist to the takedown, Microsoft and the other plaintiffs in the case decided to use the civil section of the RICO statute to go after the group of defendants, allowing them to group the alleged botnet controllers under the umbrella of one organized criminal enterprise. The statute typically is used in organized crime prosecutions, but the nature of the Zeus operation lent itself to the same kind of action.
“Upon information and belief, John Does 1-39 constitute a group of persons associated together for a common purpose of engaging in a course of conduct, as part of an ongoing organization, with the various associates functioning as a continuing unit. The Defendants’ enterprise has a purpose, with relationships among those associated with the enterprise, and longevity sufficient to permit those associates to pursue the enterprise’s purpose. Upon information and belief, Defendants John Doe 1, John Doe 2, and John Doe 3 conspired to, and did, form an associated in fact enterprise (herein after the “Zeus Racketeering Enterprise”) with a common purpose of developing and operating a global credential stealing botnet operation as set forth in detail herein,” the complaint filed against the botnet operators says.
“Both the purpose of the Zeus Racketeering Enterprise and the relationship between the Defendants is proven by: (1) the consolidation of the original Zeus botnet and the SpyEye botnet; (2) the subsequent development and operation of the enhanced Ice-IX botnet; and (3) Defendants’ respective and interrelated roles in the sale, operation of, and profiting from the Zeus Botnets in furtherance of Defendants’ common financial interests.”
Microsoft’s Boscovich said the use of RICO was an important aspect of the case.
“In criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the ‘organization’ were not necessarily part of the core enterprise,” he said.