Monday, March 26, 2012

The long arm of Microsoft tries taking down Zeus botnets

 Microsoft and financial services organizations, with an escort of U.S. Marshals, seized command-and-control servers Friday to take down botnets allegedly used to steal millions of dollars from an estimated 13 million computers infected with the Zeus malware.

After raids in Scranton, Pa., and Lombard, Ill., "some of the worst known Zeus botnets were disrupted by Microsoft and our partners worldwide," Microsoft announced Sunday night.



The seizure was made after the U.S. District Court for the Eastern District of New York blessed the operation after Microsoft and its partners filed a plea to seize the computers and filed a suit against 39 as-yet-unnamed defendants who bear nicknames such as Slavik, zebra7753, iceIX, Veggi Roma, susanneon, JabberZeus Crew, and h4x0rdz. (See below for the full suit.)

"The United States Marshals and their deputies shall be accompanied by plaintiffs' attorneys and forensic experts a the foregoing described seizure, to assist with identifying, inventorying, taking possession of, and isolating defendant's' computer resources, command and control software, and other software components that are seized," the court's seizure order stated. It also said the U.S. Marshals would preserve up to four hours of Internet traffic before disconnecting the computers from the Internet.

Microsoft has made similar moves before, but this was the first time others were involved: joining company's Digital Crimes Unit were the Information Sharing and Analysis Center (FS-ISAC), a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, which operates the ACH system for electronic funds transfer. In addition, Kyrus Tech supported Microsoft's case.

The Zeus family of malware takes runs in the background of an infected computer, logging keystrokes so criminals can transfer money out of bank accounts, make purchases with others' money, and engage in identity theft, Microsoft said. Command-and-control computers run networks of infected machines called botnets, and Microsoft and its partners seized what they say are servers that handle this command operation.

Microsoft has made similar moves with the Waledac, Rustock, and Kelihos botets. But this operation was different, and not just because other partners were involved, Microsoft said.

"Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets," Microsoft said. "Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain."

And disrupting that operation is a potentially big deal: Microsoft estimates there are 13 million computers infected with Zeus and its variants, 3 million of them in the United States.

"Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets," Microsoft said. "These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit."

Microsoft and its partners accused the defendants of violating the Computer Fraud and Abuse Act, violating the the CAN-SPAM Act, violating the Electronic Communications Privacy Act, various trademark-related claims relating to the Lanham Act, and violations of the Racketeer Influenced and Corrupt Organizations Act (RICO).

The partners involved in the suit are FS-ISAC, a trade organization with 4,400 members including banks, credit unions, brokerage firms, insurance companies, and payment processors. NACHA, operates the Automated Clearing House (ACH) network used to transfer money among financial institutions.

Microsoft's case, with the code-name Operation b71, took months to investigate. Many of its details are laid out in the lawsuit.

The Zeus malware also goes under the name Ice-IX and SpyEye. Microsoft said John Doe 1, who goes by the name Slavik, Monstr, IOO, and Nu11, is the creator. John Doe 2, aka zebra 7753, lexa_mef, gss, and iceIX, created a Zeus family member called Ice-IX, Microsoft said, and John Doe 3, aka Harderman and Gribodemon, created another family member called SpyEye, the complaint said.

John Doe 5, aka miami and miamibc, John Doe 9, aka Kusunagi, and John Doe 38, aka jheto2002, are other developers involved, writing "Web inject" code that gets the malware onto victims' computers, the complaint said. Some other defendants also were involved in developing the software.

John Doe 4, aka Aqua, aquaSecond, percent, cp01, and other aliases, recruits "money mules" whose job it is to create bogus bank accounts into which victims' money is transferred. Several of the other John Does are these money mules. John Does 23 and 24, aka jtk and Veggi Roma, respectively, also recruited money mules, the lawsuit said.

Many of the other defendants purchased and used the Zeus family of malware.

View the original article here

Source From CNET

No comments:

Post a Comment