Wrath of the Titans: Microsoft, U.S. Feds Slay Godly "Zeus" Botnets
March 26, 2012 3:21 PM
(Source: Universal Pictures)
Zeus malware was long untouchable, infected 3m+ in U.S. alone
In the era of organized cybercrime, one of the most dangerous threats to arise in recent years was "Zeus". A malware program named after the king of the Greek gods, Zeus spread via combination of phishing emails that encouraged users to download a malicious executable, and by "drive-by-downloads", automatic downloads which largely target insecure older browser versions. Once installed, Zeus
committed all sorts of villainy
, including keylogging and form-grabbing, both of which were used to steal internet users' credit card info.
I. Raid Strikes Blow to Heart of Zeus Botnets
According to Microsoft Corp. (
), organized criminals would purchase special souped up versions of Zeus to create their
own private botnets
. Zeus malware "crimekits" would retail from $700 USD to $15,000 USD. And the criminals were getting their money's worth -- in the U.S. alone the top three variants -- Zeus, SpyEye and Ice-IX -- were believed to have affected 3 million machines and wrought $500M+ USD in damages. Worldwide over 13m machines were believed to be infected.
But Zeus's status as god of the world of cyber-crime appears to be drawing to a close.
Digital Crimes Unit
-- in collaboration with Financial Services –
Information Sharing and Analysis Center
(The Electronic Payements Association) -- leveraged the provisions of the
(15 U.S.C. § 1051-1141n) and
Racketeer Influenced and Corrupt Organizations (RICO) Acts
(18 U.S.C. § 1961–1968) to gain warrants to take down the command and control servers of top Zeus variants. The warrants follow a Mar. 19, 2012 suit filed against 39 "John Does" believed to be involved in the criminal operation.
Microsoft security experts have previously compared the approach to
"decapitating" the botnet
, in that it takes out the brains of the botnet -- the command and control (CnC) server tasked with
delivering updates to the malware
, issuing commands, and collecting stolen information.
Microsoft, its partners, and U.S. Federal Marshalls executed a pair of
daring real world raids
in Scranton, Penn. and Lombard, Ill., entering the premises of two hosting companies and seizing the active CnC servers, before the owners could try to destroy evidence.
Cyber-sleuths J-Michael Roberts, left, and Ashim Kapur, right, collect evidence for Microsoft and authorities in Scranton, Penn. during this week's raid.
[Image Source: Michael Sisak for The New York Times]
Richard Domingues Boscovich, Senior Attorney with Microsoft's Digital Crimes Unit, writes:
We took down two IP addresses behind the Zeus ‘command and control’ structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.
We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims.
The daring takedown was aided by The Electronic Payments Association -- an industry association representing e-commerce sites and banks -- and Kyrus Technologies -- a security firm specializing in reverse engineering. F-Secure, a European secure firm also lent its expertise. Together, a major blow was struck at the heart of many of the largest Zeus botnets.
II. Server Seizures: Not a Magic Bullet, and Not Without Controversy
One controversial aspect of the seizure was that the hosting companies were not warned before hand. However, Microsoft did receive the warrant to
seize the domains
and physical servers under significant judicial oversight, so a degree of accountability was maitained.
Richard Perlotto, director at the Shadowserver Foundation, praised the takedowns as brilliant in
The New York Times
. He compares them to vigilante actions such as neighborhood watches, commenting, "Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed. We equate this to a neighborhood watch."
The upside of the takedowns is that it turns the same kind of fear and uncertainty that cybercriminals successfully spread back on them. It also arguably makes the business of cybercrime less lucrative, which could eventually lead to some dropping out.
A server raid hurts a botnet in the short term, but cannot stop it fully without followup and prosecution. [Image Source: Finest Daily]
of the Waledac, Rustock and Kelihos botnets have not been wholly successful. While they did manage to incapacitate the botnets in question, they could not fully prevent comebacks. Jose Nazario, a senior security researcher at security firm Arbor Networks, points to a resurgent Waledac botnet in a
comment, stating, "You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again."
Of course, Microsoft -- just having executed its fourth major botnet-related server seizure -- is learning to collect evidence that could eventually be used to do precisely that -- put malware writers and cybercriminals behind bars.
The New York Times
"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki
FCC, ISPs Join Forces to Fight Routing Hijacks, Botnets
March 26, 2012, 1:51 PM
Microsoft Says Any Botnet Can be Decapitated, Destroyed
July 10, 2011, 2:20 PM
Ten-Year-Old, 2 Million PC Botnet Finally Killed; Stole up to $100M USD
April 14, 2011, 11:21 AM
Microsoft Granted Permanent Ownership of 276 Botnet Domains
September 9, 2010, 9:29 AM
Kneber Botnet May Have Infected 75,000 PCs Globally
February 18, 2010, 10:44 AM
Science & Environment
February 20, 2017, 6:37 AM
The USA’s newest weather satellite sends first photos.
January 24, 2017, 6:41 AM
Netflix took a decision to invest in original content
January 19, 2017, 7:00 AM
Amazon Airborne Fulfillment Center – Your Merchandise Drop-Shipped from the Clouds
December 29, 2016, 5:00 AM
Amazon is experimenting with a new kind of grocery stores, Amazon Go
December 8, 2016, 5:00 AM
Google has developed Deep Learning Algorithm to detect Diabetic Eye Disease
December 4, 2016, 5:00 AM
Most Popular Articles
Intel Optane SSd DC P4800X – Super Fast 3D Storage
March 20, 2017, 7:35 AM
Comparison – Samsung Galaxy TabPro S Vs Microsoft Surface Pro 4
March 21, 2017, 7:40 AM
Gigabyte GA-Z170X-Gaming G1 – Intel Thunderbolt 3 Certified Motherboard
March 9, 2017, 6:25 AM
Samsung Galaxy S8, Rumored Launch Date!
March 18, 2017, 6:45 AM
Huawei P8 Lite 2017 – Android 7 Nougat Smartphone with Octa-Core Processor
March 8, 2017, 7:03 AM
Latest Blog Posts
Are you thinking of performance and speed? Intel claims:
Mar 25, 2017, 7:45 AM
Apple buys an automation app called Workflow. The deal was completed today and brings the app along with its developers.
Mar 23, 2017, 7:35 AM
Apple Announces new color for iPhones and iPads
Mar 22, 2017, 7:45 AM
Instagram: You Can Now Save Live Videos For Later
Mar 21, 2017, 7:49 AM
Samsung Galaxy S8 to Get New Color Scheme
Mar 20, 2017, 7:45 AM
What else to worry about?
Mar 17, 2017, 6:45 AM
Icon of the Day: Intel/ NVIDIA or Mobileye
Mar 16, 2017, 6:15 AM
JUST IN - Twitter Hijacked : High-Profile Account Accesses
Mar 15, 2017, 7:07 AM
Mar 14, 2017, 7:30 AM
News and Tips
Mar 13, 2017, 6:30 AM
iPhone 8 – May Not Get Curved Screen
Mar 11, 2017, 8:00 AM
California paves way to self-driving car tests without humans
Mar 11, 2017, 7:18 AM
Smart Machines V hackers
Mar 10, 2017, 7:00 AM
Uber Can Resume Autonomous Car Testing in California
Mar 9, 2017, 6:50 AM
Mar 8, 2017, 7:09 AM
Mar 7, 2017, 8:45 AM
World news 3-6
Mar 6, 2017, 5:40 AM
Mar 4, 2017, 7:40 AM
Mixed News of the Day
Mar 4, 2017, 6:32 AM
Jaguar Land Rover invests in ride-sharing
Mar 3, 2017, 7:00 AM
Mixed News of The World:
Mar 2, 2017, 7:02 AM
World New 3-1
Mar 1, 2017, 6:30 AM
More Blog Posts
Copyright 2017 DailyTech LLC. -
Terms, Conditions & Privacy Information