Microsoft Identifies Zeus Botnet Suspects

Microsoft counted two minor successes in its war on botnets on 2 July, putting names to two of the defendants in its lawsuit against a Zeus crime ring and noting that Zeus infections had dropped by almost half in the last three months.

As part of the Microsoft Active Response for Security (MARS) programme, the company filed a lawsuit against a group of unknown defendants – identified as “John Does” in the original complaint – for violation of a number of civil statutes. In a 2 July blog post, the company stated that it had identified two of the defendants, Yevhen Kulibaba and Yuriy Konovalenko, and amended the complaint.

Already in prison

The two defendants, however, are currently serving jail time in the United Kingdom for convictions related to the Zeus malware.

“Our best efforts to identify the remaining John Doe defendants turned up no response,” according to Microsoft’s complaint. “We will continue our efforts to serve defendants Kulibaba and Konovalenko, and the John Doe defendants, with this amended complaint.”

While positively identifying two defendants may appear to be a major win, the two suspects had already been identified by the Zeus Working Group, a loosely connected team of security researchers working to share information on Zeus, as well as security researcher and blogger Brian Krebs in May.

While the information may have already been uncovered, Microsoft has a higher bar to hurdle to put the information into its own complaint, says Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit (DCU).

“Many times, the information they have is compared with our independent analysis as we seek to file our civil cases,” said Boscovich. “We tend to be cautious about what we plea in our papers. Only after we feel confident that the information is accurate do we amend and name specific defendants.”

Anti-botnet success

While some of the perpetrators had already been identified, Microsoft’s impact on this particular version of the Zeus botnet appears to have been significant. The total number of attempts at spreading Zeus dropped from 780,000 for one week in March to 336,000 during a single week in June, the company stated.

“These successful results represent a significant advancement for the people that Microsoft, the financial industry and law enforcement are all focused on protecting as customers and citizens,” according to Microsoft.

Zeus botnets are networks of compromised computers created by criminals using the Zeus infection framework, a toolkit that allows the creation of malware, spam campaigns to spread the malware and server software to administer compromised computers. While other malicious software exists to create and manage botnets, the Zeus toolkit is perhaps the best known and widely used.

Over the past three years, Microsoft has used a combination of civil lawsuits to carry out court-ordered command-and-control server takedowns that hobbled the operations of four botnets. In addition to the latest Zeus botnet takedown, Microsoft has pursued the operations behind the Waledac, Rustock and Kelihos botnets.

The takedown of Rustock, for example, led to a sustained drop in spam levels. At the time of the takedown in March 2011, for example, nearly 150 million spam messages were seen every day, according to security firm CommTouch. A year later, spam levels were under 100 million per day, the firm stated in an analysis.

Are you a Skype champion? Take our quiz.