Microsoft Raids Hit Zeus Botnets

Microsoft’s security division has been active again in helping to take down two US Zeus botnet command and control (C&C) servers as part of an international offensive against the bank-robbing network.

Operation b71, as the overall offensive is known, was supported by computer threat protection company F-Secure, the Financial Services Information Sharing and Analysis Centre (FS-ISAC), the electronics payments organisation Nacha, and digital forensics and penetration testing specialist Kyrus Tech, among others, with the aim of severely disrupting the Zeus networks.

Legally bombed

In the US takedowns, Microsoft’s Malware Protection Centre (MPC)  joined FS-ISAC and Kyrus to seize systems based in Scranton, Pennsylvania, and Lombard, Illinois. The process of gaining the legal right to enter premises to access and confiscate hardware and its associated malware requires a court hearing. After gaining the necessary permissions from a New York court, the team moved in on both sites, accompanied by US law enforcement officials.

In a blog, Microsoft principal group programme manager Jeff Williams said: “Due to the complexities of these targets, unlike Microsoft’s prior botnet operations, the goal of this action was not the permanent shutdown of all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers and also help further investigations against those responsible for the threat.”

The Zeus Trojan is a particularly widespread malware because it has been released as a kit that can be repurposed by anyone who cares to buy it for between £450 and £9,500 – it pays to shop around in today’s malware supermarkets. Zeus is a key-logging and form grabbing application that targets financial information such as bank logons and payment card details. The best estimate of the number of infected personal systems linking to C&C servers around the world is 13 million.

Apart from the satisfaction of closing down the operations, Microsoft MPC, part of its Digital Crimes Unit, also gained two key IP addresses and around 800 domains relating to Zeus operations. These will lead to enabling the company to contact and clean thousands of infected systems.

This is the fourth success for  Microsoft Digital Crimes Unit within its own Project Mars (Microsoft Active Response for Security) initiative to disrupt botnets and help victims to regain control of their infected computers. These previous actions caused severe disruptions to the Rustock, Waledac and Kelihos spam operations.

Information gained from the take down will be shared with ISPs and Community Emergency Response Teams (CERTs) around the world.

How well do you know security? Try our quiz