Microsoft, working with others in the financial services and computer security industry, has disrupted a number of botnets being used by the Zeus malware family.
The company claims that botnets using ZeuS, SpyEye and Ice-IX variants of the ZeuS family of malware are responsible for nearly half a billion dollars in damages.
Office buildings in Illinois and Pennsylvania were raided by US Marshals, accompanied by Microsoft investigators, on Friday, and web servers being used by cybercriminals deactivated. The seized computers will be examined to see if they reveal further information about who might be behind the criminal campaign. At the same time, the firm seized control of hundreds of web domains being used for malevolent purposes.
Microsoft’s Digital Crimes Unit even put together a natty video, giving a little colour to the operation:
Of course, Microsoft has a big interest in making the internet a safer place. Most malware, for instance, targets Windows rather than Mac users – and the last thing Microsoft wants is for the prevalence of malware to be a reason for people to purchase their next computer from Apple instead.
Frankly, I don’t care if Microsoft doesn’t have entirely altruistic motivation for bringing down the bad guys – I’m just glad that they are actively pursuing those responsible for organised cybercrime, and trying to make the internet safer.
So far, SophosLabs hasn’t seen any evidence of significant disruption to Zeus’s activities through Microsoft’s action. Because Zeus and SpyEye are sold as kits any takedown against specific botnets will not affect all the other botnets which are still out there.
Since the kits are still available (freely in source form in the case of Zeus) it is highly likely that we will continue to see botnets created using them.
Microsoft and the National Automated Clearing House Association has filed an action against almost 40 as-yet-unnamed “John Does” in connection with the investigation. So far all that has been made public are the suspects’ aliases:
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits and the JabberZeus Crew
Some of these individuals are said to have written the Zeus or SpyEye code, others are said to have developed exploits which helped infect victims’ computers. Others are said to be, or have recruited, money mules who laundered the proceeds of the criminal scheme.
Ultimately, the most important thing will be to bring those who write the malware, sell the malware, buy the malware, or profit from its use to justice. Taking over web servers is one thing, but unless the people behind the Zeus and other malware operations are brought to book, the crime is just going to continue.
- Read the full complaint against the Zeus botnet operators.
- Read “What is Zeus”, a technical paper by James Wyke of SophosLabs.