In an effort to disrupt botnets, Microsoft, in collaboration with the financial services industry, has executed a coordinated global action against some of the most notorious cybercrime operations that fuel online fraud and identity theft.
With this legal and technical action, a number of the
most harmful botnets using the Zeus family of malware
worldwide have been disrupted, according to Microsoft.
Through a collaborative investigation into the Zeus
threat, Microsoft and its banking, finance and technical
partners discovered that once a computer is infected with
Zeus, the malware can monitor a victim's online activity
and automatically start keylogging, or recording a
person's every keystroke, when a person types in the name
of a financial institution or ecommerce site. With this
information, cybercriminals can steal personal
information that can be used for identity theft or to
fraudulently make purchases or access other private
accounts. Since 2007, Microsoft has detected more than 13
million suspected infections of the Zeus malware
worldwide, including approximately 3 million computers in
the United States alone.
"With this action, we've disrupted a critical source of
money-making for digital fraudsters and cyberthieves,
while gaining important information to help identify
those responsible and better protect victims," said
Richard Boscovich, senior attorney for the Microsoft
Digital Crimes Unit. "The Microsoft Digital Crimes Unit
has long been working to combat cybercrime operations,
and today is a particularly important strike against
cybercrime that we expect will be felt across the
criminal underground for a long time to come."
This disruption was made possible through a pleading
before the U.S. District Court for the Eastern District
of New York, which allowed Microsoft and its partners to
conduct a coordinated seizure of command and control
servers running some of the worst known Zeus botnets.
Because the botnet operators used Zeus to steal victims'
online banking credentials and transfer stolen funds,
FS-ISAC and NACHA joined Microsoft as plaintiffs in the
civil suit, and Kyrus Tech Inc. served as a declarant in
the case. Other organizations, including F-Secure, also
provided supporting information for the case.
As a part of the operation, on March 23, Microsoft and
its co-plaintiffs, escorted by the U.S. Marshals, seized
command and control servers in two hosting locations,
Scranton, Pa., and Lombard, Ill., to seize and preserve
data and virtual evidence from the botnets for the case.
Microsoft and its partners took down two Internet
Protocol addresses behind the Zeus command and control
structure, and Microsoft is currently monitoring 800
domains secured in the operation, which are helping
identify thousands of computers infected by Zeus.
Because of the complexities of these targets, unlike
Microsoft's previous botnet operations, the goal of this
action was not to permanently shut down all impacted Zeus
botnets. However, this action is expected to
significantly impact the cybercriminals' operations and
infrastructure, advance global efforts to help victims
regain control of their infected computers, and also help
further investigations against those responsible for the
There are steps consumers and businesses can take to
better help protect themselves from becoming victims of
malware, fraud and identity theft. All computer users
should exercise safe practices, such as running
up-to-date and legitimate computer software, firewall
protection, and antivirus or antimalware protection.
People should also exercise caution when surfing the Web
and clicking on ads or email attachments that may prove
to be malicious.