Microsoft and financial services organizations, with an escort of U.S. Marshals, seized command and control servers on Friday in two states as part of an attempt to take down botnets involving an estimated 13 million computers infected with the Zeus malware.
After the action in Scranton, Pa., and Lombard, Ill., “some of the worst known Zeus botnets were disrupted by Microsoft and our partners worldwide,” Microsoft announced Sunday night.
The seizure was made after the U.S. District Court for the Eastern District of New York blessed the operation after Microsoft and its partners filed a plea to seize the computers and filed a suit against 39 as-yet-unnamed defendants who bear nicknames such as Slavik, Monstr, zebra7753, Nu11, iceIX, Veggi Roma, susanneon, JabberZeus Crew, and h4x0rdz. (See below for the full suit.)
“The United States Marshals and their deputies shall be accompanied by plaintiffs’ attorneys and forensic experts a the foregoing described seizure, to assit with identifying, inventorying, taking possession of, and isolating defandants’ computer resources, command and control software, and other software components that are seized,” the court’s seizure order stated. It also said the U.S. Marshals would preserve up to four hours of Internet traffic before disconnecting the computers from the Internet.
Microsoft has made similar moves before, but this was the first time others were involved: joining company’s Digital Crimes Unit were the Information Sharing and Analysis Center (FS-ISAC) and NACHA, the Electronic Payments Association, and Kyrus Tech.
The Zeus family of malware takes runs in the background of an infected computer, logging keystrokes so criminals can transfer money out of bank accounts, make purchases with others’ money, and engage in identity theft, Microsoft said. Command-and-control computers run networks of infected machines called botnets, and Microsoft and its partners seized what they say are servers that handle this command operation.
Microsoft has made similar moves with the Waledac, Rustock, and Kelihos botets. But this operation was different, and not just because other partners were involved, Microsoft said.
“Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets,” Microsoft said. “Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.”
And disrupting that operation is a potentially big deal: Microsoft estimates there are 13 million computers infected with Zeus and its variants, 3 million of them in the United States.
“Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets,” Microsoft said. “These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit.”