Microsoft Leads Zeus Takedown

Collaborative Effort Targets Zeus Malware Botnets
Microsoft Leads Zeus Takedown

Microsoft Corp. says it led a team that has successfully disrupted some of the world's most threatening and damaging cybercrime operations.

See Also: The Vulnerabilities of Traditional Identity Verification

Through a collaborative effort involving the Financial Services - Information Sharing and Analysis Center and NACHA - The Electronic Payments Association, Microsoft, in a statement, says its Digital Crimes Unit has seized command and control servers that have been running some of the most damaging variations of Zeus botnets.

Zeus, the world's most ubiquitous Trojan, represents a family of malware that infects and hijacks a user's computer. Zeus is a keylogger, which means it can monitor a victim's online activity and automatically record keystrokes. This is especially concerning in financial fraud incidents of account takeover, since keyloggers record the entry of online credentials such as usernames and passwords.

"As crimes against banks and their customers move from stickups to mouse clicks, we're also using our own mouse clicks - as well as the law - to help protect consumers and businesses," says Greg Garcia, spokesman for FS-ISAC and NACHA. "Disrupting the Zeus botnets is just one strike in our long-term commitment to help defend and protect people."

Operation B71

Microsoft was given control and seizure authority by a District Court in eastern New York, after winning a civil suit against several known cybercrime groups. Because many online compromises result in financial fraud, FS-ISAC and NACHA joined Microsoft as plaintiffs in the suit.

On March 23, Microsoft and its co-plaintiffs, seized servers from two hosting locations in Scranton, Pa., and Lombard, Ill. The maneuver, codenamed Operation B71, took down two IP addresses behind the Zeus command and control structure, and Microsoft says it is monitoring 800 domains, which are working to identify thousands of computers infected by Zeus.

The plaintiffs have been instructed to preserve valuable data and virtual evidence from the botnets for their case.

This is the second time Microsoft has conducted physical seizures in a botnet operation, but the first time other organizations have joined Microsoft as plaintiffs in legal action against a botnet operation. This also is the first time the Racketeer Influenced and Corrupt Organizations Act has been applied as the legal basis in a consolidated civil case to charge all those responsible in the use of a botnet.

This action is expected to significantly impact the cybercriminals' operations and infrastructure, advance global efforts to help victims regain control of their infected computers, and also help further investigations against those responsible for the threat.

As with its previous botnet operations, Microsoft will now use the intelligence gained from this operation to partner with Internet service providers and Community Emergency Response Teams around the world to help rescue people's computers from the control of Zeus, helping to reduce the size of the threat that these botnets pose and to help make the Internet safer for consumers and businesses worldwide. Together, these aspects of the operation are expected to undermine the criminal infrastructure that relies on these botnets to make money.

Cyberfraud Targets

Since 2007, Microsoft has detected more than 13 million computers suspected of being infected by Zeus throughout the world. Of that total, 3 million of those infected PCs are in the United States alone.

Realizing the legal and privacy concerns these cyber-compromises pose, Microsoft spearheaded work to thwart incidents of identity theft and online compromise. That work ultimately led to the creation of Operation B71, a cross-industry movement aimed at disrupting some of the world's most threatening and damaging cybercrime operations.

Operation B71, which includes Microsoft, FS-ISAC, NACHA, and security vendors Kyrus Tech Inc. and F-Secure, represents collaborative legal and technical actions.

"The Microsoft Digital Crimes Unit has long been working to combat cybercrime operations, and today is a particularly important strike against cybercrime that we expect will be felt across the criminal underground for a long time to come," says Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit. "With this action, we've disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims."

Steps to Protect Your Business

Operation B71 recommends businesses and consumers take these steps to protect their online presences:

  • All computer users should exercise safe practices, such as running up-to-date and legitimate computer software, firewall protection, and antivirus or antimalware protection.
  • Users should exercise caution when surfing the Web and clicking on ads or e-mail attachments that may prove to be malicious.

Microsoft offers free information and malware cleaning tools on its website. Businesses interested in more information about corporate account takeover, which is often linked to ACH fraud, can review this advisory from FS-ISAC, the Federal Bureau of Investigation and the U.S. Secret Service.


About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 37 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.