Microsoft has gone after another botnet, this time targeting some of
the command-and-control infrastructure behind the Zeus network with a
takedown effort that included seizing two IP addresses used for C&C
servers and filing suit against 39 unnamed defendants. The action
against Zeus is the latest in a string of such moves by Microsoft and
some of its partners against the operators of botnets such as Kelihos and Waledac.
Zeus
is one of the more widespread and well-known pieces of malware to
appear in the last five years and is among the new breed of tools that's
sold in various forms to anyone who can pay the freight. The Zeus kit
enables an attacker to monitor a user's actions on a compromised
machine, steal credentials for online banking or other valuable sites
and then rack up huge profits. Like other major botnets operating right
now, the Zeus network is not one botnet but dozens and dozens of
individual networks operated by various criminals around the world.
Microsoft's
anti-Zeus operation resulted in the takedown of two C&C servers
that are used in the global Zeus network, but the company's officials
say they have no illusions that this move will cripple the entire Zeus
system.
"We don’t expect this action to have wiped out every
Zeus botnet operating in the world. However, together, we have
proactively disrupted some of the most harmful botnets, and we expect
this effort will significantly impact the cybercriminal underground for
quite some time. Cybercriminals are in this for the money and this
action was an unprecedented strike against the illicit infrastructure on
which they rely. The operation will help further investigations against
those responsible for the threat and help us better protect victims,"
Richard Domingues Boscovich, a senior attorney in Microsoft's Digital
Crimes Unit, wrote in an analysis of the Zeus botnet takedown.
Last Monday, Microsoft filed suit in the Eastern District of New York against
the unnamed defendants, saying that they, using various aliases and
handles, had operated the Zeus botnet. The company, along with the
National Automated Clearing House Association, asked the court for
permission to cut off the C&C infrastructure of Zeus and also asked
that the case be temporarily sealed in order to preserve the element of
surprise against the suspects. The court granted both requests, and on
Friday officials from Microsoft, NACHA and the Financial Services
Information Sharing Analysis Center went with U.S. Marshals to execute
the seizure of the servers.
"On March 23, Microsoft, FS-ISAC and
NACHA – escorted by the U.S. Marshals – successfully executed a
coordinated physical seizure of command and control servers in two
hosting locations to seize and preserve valuable data and virtual
evidence from the botnets for the case. We took down two IP addresses
behind the Zeus ‘command and control’ structure. Microsoft also
currently monitors 800 domains secured in the operation, which helps us
to identify thousands of Zeus-infected computers," Boscovich said.
The
botnets affected by the Zeus takedown action include some running the
Ice-IX and SpyEye variants of the malware. The Zeus codebase has forked
and evolved over time and some features of the once-competitive SpyEye
toolkit were included in some versions recently.
In an interesting
twist to the takedown, Microsoft and the other plaintiffs in the case
decided to use the civil section of the RICO statute to go after the
group of defendants, allowing them to group the alleged botnet
controllers under the umbrella of one organized criminal enterprise. The
statute typically is used in organized crime prosecutions, but the
nature of the Zeus operation lent itself to the same kind of action.
"Upon
information and belief, John Does 1-39 constitute a group of
persons associated together for a common purpose of engaging in a course
of conduct, as part of an ongoing organization, with the various
associates functioning as a continuing unit. The Defendants’ enterprise
has a purpose, with relationships among those associated with
the enterprise, and longevity sufficient to permit those associates to
pursue the enterprise’s purpose. Upon information and belief, Defendants
John Doe 1, John Doe 2, and John Doe 3 conspired to, and did, form an
associated in fact enterprise (herein after the “Zeus Racketeering
Enterprise”) with a common purpose of developing and operating a global
credential stealing botnet operation as set forth in detail herein," the
complaint filed against the botnet operators says. "Both the
purpose of the Zeus Racketeering Enterprise and the relationship between
the Defendants is proven by: (1) the consolidation of the original Zeus
botnet and the SpyEye botnet; (2) the subsequent development and
operation of the enhanced Ice-IX botnet; and (3) Defendants’ respective
and interrelated roles in the sale, operation of, and profiting from the
Zeus Botnets in furtherance of Defendants’ common financial interests."
Microsoft's Boscovich said the use of RICO was an important aspect of the case.
"In
criminal court cases, the RICO Act is often associated with cases
against organized crime; the same is true in applying the civil section
of the law to this case against what we believe is an organization of
people behind the Zeus family of botnets. By incorporating the use of
the RICO Act, we were able to pursue a consolidated civil case against
everyone associated with the Zeus criminal operation, even if those
involved in the 'organization' were not necessarily part of the core
enterprise," he said.
Courtesy Dennis Fisher
