Print 21 comment(s) - last by TSS.. on Apr 3 at 7:10 PM

  (Source: Universal Pictures)
Zeus malware was long untouchable, infected 3m+ in U.S. alone

In the era of organized cybercrime, one of the most dangerous threats to arise in recent years was "Zeus".  A malware program named after the king of the Greek gods, Zeus spread via combination of phishing emails that encouraged users to download a malicious executable, and by "drive-by-downloads", automatic downloads which largely target insecure older browser versions.  Once installed, Zeus committed all sorts of villainy, including keylogging and form-grabbing, both of which were used to steal internet users' credit card info.

I. Raid Strikes Blow to Heart of Zeus Botnets

According to Microsoft Corp. (MSFT), organized criminals would purchase special souped up versions of Zeus to create their own private botnets.  Zeus malware "crimekits" would retail from $700 USD to $15,000 USD.  And the criminals were getting their money's worth -- in the U.S. alone the top three variants -- Zeus, SpyEye and Ice-IX -- were believed to have affected 3 million machines and wrought $500M+ USD in damages.  Worldwide over 13m machines were believed to be infected.

But Zeus's status as god of the world of cyber-crime appears to be drawing to a close.

Microsoft’s Digital Crimes Unit -- in collaboration with Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA (The Electronic Payements Association) -- leveraged the provisions of the Lanham (15 U.S.C. § 1051-1141n) and Racketeer Influenced and Corrupt Organizations (RICO) Acts (18 U.S.C. § 1961–1968) to gain warrants to take down the command and control servers of top Zeus variants.  The warrants follow a Mar. 19, 2012 suit filed against 39 "John Does" believed to be involved in the criminal operation.

Microsoft security experts have previously compared the approach to "decapitating" the botnet, in that it takes out the brains of the botnet -- the command and control (CnC) server tasked with delivering updates to the malware, issuing commands, and collecting stolen information.

Microsoft, its partners, and U.S. Federal Marshalls executed a pair of daring real world raids in Scranton, Penn. and Lombard, Ill., entering the premises of two hosting companies and seizing the active CnC servers, before the owners could try to destroy evidence.

Microsoft raid
Cyber-sleuths J-Michael Roberts, left, and Ashim Kapur, right, collect evidence for Microsoft and authorities in Scranton, Penn. during this week's raid.
[Image Source: Michael Sisak for The New York Times]

Richard Domingues Boscovich, Senior Attorney with Microsoft's Digital Crimes Unit, writes:

We took down two IP addresses behind the Zeus ‘command and control’ structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.

We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims.

The daring takedown was aided by The Electronic Payments Association -- an industry association representing e-commerce sites and banks -- and Kyrus Technologies -- a security firm specializing in reverse engineering.  F-Secure, a European secure firm also lent its expertise.  Together, a major blow was struck at the heart of many of the largest Zeus botnets.

II. Server Seizures: Not a Magic Bullet, and Not Without Controversy

One controversial aspect of the seizure was that the hosting companies were not warned before hand.  However, Microsoft did receive the warrant to seize the domains and physical servers under significant judicial oversight, so a degree of accountability was maitained.

Richard Perlotto, director at the Shadowserver Foundation, praised the takedowns as brilliant in The New York Times.  He compares them to vigilante actions such as neighborhood watches, commenting, "Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed.  We equate this to a neighborhood watch."

The upside of the takedowns is that it turns the same kind of fear and uncertainty that cybercriminals successfully spread back on them.  It also arguably makes the business of cybercrime less lucrative, which could eventually lead to some dropping out.
Botnet wide
A server raid hurts a botnet in the short term, but cannot stop it fully without followup and prosecution. [Image Source: Finest Daily]

But Microsoft's past takedowns of the Waledac, Rustock and Kelihos botnets have not been wholly successful.  While they did manage to incapacitate the botnets in question, they could not fully prevent comebacks.  Jose Nazario, a senior security researcher at security firm Arbor Networks, points to a resurgent Waledac botnet in a NYT comment, stating, "You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again."

Of course, Microsoft -- just having executed its fourth major botnet-related server seizure -- is learning to collect evidence that could eventually be used to do precisely that -- put malware writers and cybercriminals behind bars.

Sources: Microsoft (TechNet), The New York Times

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Thank you
By p05esto on 3/26/2012 9:48:46 PM , Rating: 5
Thank you Microsoft, I'm glad we have you around. We certainly never see Apple doing selfless things like this for the better of mankind and technology. Microsoft and Bill Gates gives billions to charity, Apple hords billions of cash. Microsoft takes out botnets, Apple sucks users into their own botnet of iCrap devices. Go MS!

RE: Thank you
By wordsworm on 3/27/12, Rating: -1
RE: Thank you
By Boze on 3/27/2012 1:00:44 AM , Rating: 4
You're right, since you crash your Ford into another driver on the highway, they ought to be the ones to clean it up.

Stupid drivers. Stupid computers users.

They're not the responsibility of the people that make the product.

Yet both companies do actively work to help them.

RE: Thank you
By Tony Swash on 3/27/12, Rating: -1
RE: Thank you
By TSS on 3/27/2012 7:15:06 AM , Rating: 5
i shudder to think about the state of the internet had any other OS become dominant.

Had Apple won with Mac's, botnet's would be the norm, not the exception. Current OS security would be around the level of windows 98.

Had Linux won, We would've been a little more secure yes, but not by much. Also, the internet would still be the size it was back in 1998, since nobody not in the know wouldn't toutch computers due to linux's complexity and user unfriendlyness. Untill ubuntu. Which probably would never have been invented if users didn't go for the ease of apple and microsoft GUI's.

And that leaves us with what? Unix? In that case internet would still be the size it was in 1980. Novell? Couldn't even figure that on out during my IT education. Managed eventually, but no end user is going to stick with novell. Something breaks you're screwed.

No, i'd like to think there's a reason windows has the huge, huge market share it has. It's not just exclusivity deals. While i agree they used those to get ontop, getting ontop is the easy part. The hard part is staying there. As the declining browser share of IE has shown, Even exclusivity isn't a guarrantee for success.

No i'd commend microsoft for stepping up. Not only with cleaning up these bot nets, but also back with XP SP2, when they admitted it wasn't secure and basically changed their whole way of thinking. Compared to XP SP1, windows 7 is a fort knox. Compare that to apple's "you don't need a virus scanner".

And they still get the bad wrap for the end users who lets the virusses in themselves. For shame.

RE: Thank you
By Tony Swash on 3/27/12, Rating: -1
RE: Thank you
By inperfectdarkness on 3/29/2012 5:59:05 AM , Rating: 2
I must applaud your efforts. Until I read this statement, I had no idea of the depths of logic natively berift in apple fans. I feel much better about myself and my own (relatively average) intelligence now. Thank you.

RE: Thank you
By TSS on 4/3/12, Rating: 0
RE: Thank you
By wordsworm on 3/27/12, Rating: 0
RE: Thank you
By DOOA on 3/27/2012 3:08:02 PM , Rating: 1
First off you cannot predict what happens if something in history did or did not happen. We are not that gifted. Secondly, consider what would have happened if users valued security above all else. No bot nets and a very different Windows or perhaps a QNX type operating system. How about an OS on a PROM that never changes without a removal and burn and almost instant on start up?

I applaud MS for helping take down the bot nets. But I know full well bot nets exist because of the way MS makes their OS.

RE: Thank you
By StevoLincolnite on 3/28/2012 3:14:01 AM , Rating: 2
I applaud MS for helping take down the bot nets. But I know full well bot nets exist because of the way MS makes their OS.

Are you able to enlighten us on exactly how every single part of the Windows OS works? And describe to us how every single line of code functions? No? Hmm. Well then.

Here is a list of MacOSX viruses, 116 of them in-fact.

You can't forget that Viruses are now invading the world of mobile devices now, namely the iOS and Android, very little exists in the realm of Windows Phone 7.

But that's why we now have virus scanners on MacOSX, Android and iOS. Because regardless of platform as soon as it starts to gain any sort of popularity, maleware and viruses are going to be in-bound.

RE: Thank you
By Tony Swash on 3/27/12, Rating: -1
RE: Thank you
By Motoman on 3/27/2012 10:14:37 AM , Rating: 2
...while I also applaud MS for dedicating resources to such efforts, I'm not sure I'd paint it as completely altruistic as you do. MS definitely has an interest in *not* having their products involved in such criminal activities...if for no other reason than simply an undeserved reputation of being "less secure" than other OSs/etc.

And yeah...Apple doesn't do any such thing. And yeah, they're the ones who have been moronically declaring that they're "more secure" than MS forever. Once again, though, for the eleventy-billionth time, Apple OSs et al are not more secure than MS products...and in testing, of course, frequently turn out to be easier to hack...but they so far are still being kind of successful with the security-by-obscurity thing they've enjoyed so long as a result of being a market failure. failure. Apple owns about ~5% of the worldwide computer installed base. That's a failure. There's no way to paint that as anything but a failure. And that's why there's so little interest in the criminal/hacking world for attacking Macs - why would you bother? You can spend X amount of time creating a botnet to attack 5% of the computers in the world - essentially none of which are used for business - or you can spend that same X amount of time creating a botnet that will attack 95% of the computers in the world, including 99.9% of all the business computers.

If a hacker managed to take down 100% of all Macs on the'd have a few hipster jackasses crying into their half-caf, half-fat, mocha-mint lattes, and otherwise the world wouldn't care. The hacker would be mocked as a wanna-be failure in his own community. Wouldn't make any difference. If a hacker managed to take down, say, 10% of the world's Windows computers, the world would practically grind to a halt while businesses and consumers freaked out and utterly stopped what they were doing while trying to figure it out. The hacker would be the greatest hero ever known in his community.

MS is utterly irrelevant in the smartphone business...and barring any new miracles, they kind of just need to get used to that. Apple is utterly irrelevant in the computer the same token, they just need to get used to that.

RE: Thank you
By Tony Swash on 3/27/12, Rating: -1
RE: Thank you
By AnnihilatorX on 3/27/2012 5:28:55 PM , Rating: 1
In the real world 99.9% of malware is Windows only and malware on the Mac is all but non existent.

I am appalled you can't see the reason why most malware is in Windows is NOT because Windows is less secure, but because Windows is MUCH more popular.

If 90% of the world's doors are manufactured by the same company and the locks are the same, guess if you want to be a professional lockpicker which locks will you learn to pick first? Of course the majority. Even this may be harder to learn to pick than easier but obscure locks.

RE: Thank you
By TakinYourPoints on 3/27/2012 7:01:59 PM , Rating: 2
There is a platform that had a significantly smaller user base than OS X, yet it had far greater problems with malware and viruses in particular.

Mac OS 9.

Having a security model based around elevating admin rights has inherent benefits over those that don't. This is why Windows Vista, Windows 7, and Mac OS X have far fewer issues with malware despite having large install bases.

RE: Thank you
By Darksurf on 3/28/2012 10:54:25 AM , Rating: 2
I'm a Linux user and experience none of those issues, but I do applaud Microsoft and their efforts. At least they are showing they care about their consumers to a point.

I can't say I agree with everything Microsoft does (I'm sure the same can be said for most), but THIS is a WONDERFUL feat.

Sadly Tony Swash sees nothing good about taking out the garbage of the internet. Its also shows hes a d*ck that is in-compassionate and unrealistic. One day he will wake up from the world he lives in and join the rest of us.

Take this for example. You live in a city and everyone lots of people just throw their garbage in their front yard. Your front yard is clean, and so is ur neighbors. But a large percentage isn't. The city is starting to stink and become unsanitary. Just because this doesn't directly effect you, doesn't mean it doesn't effect you at all! So now a generous landlord who built many of the houses/buildings these people live in has decided to clean up the city without asking for compensation.

How is it the landlords fault that people suck? Are you saying because he allows them a front yard that its his fault people throw garbage in it? Tony, you are a fool.

Oh BTW, Macs do have viruses, iphones can get viruses, Linux has Viruses, they just come in a different format. They may not auto install, but they do exist for people dumb enough to be fooled into installing a rootkit. It all comes down to PEOPLE not an OS or its devs.

Ah ha!
By mikeyD95125 on 3/26/2012 3:56:26 PM , Rating: 5
U.S. Federal Marshalls executed a pair of daring real world raids in Scranton, Penn.

So that's what Dwight was really using the office for.

Response from the White House
By DPigs on 3/26/2012 7:02:37 PM , Rating: 5
He compares them to vigilante actions such as neighborhood watches, commenting...

President Obama commented, "You know, if I had a botnet it would look very much like the Zeus botnet."

By Beenthere on 3/26/2012 10:34:16 PM , Rating: 1
In the future don't where glow-in-the-daylight neck ties as it's a give-away that you're not a criminal.

Good job boys! Hang these criminals by their gonads.

By EBH on 3/27/2012 1:21:07 PM , Rating: 1
"We equate this to a neighborhood watch in Florida."

Shoot first, ask questions later.

"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki