Skip to main content

Microsoft Seizes Two Zeus Botnet Server Command Stations

On Sunday Microsoft sent out a press release announcing that -- with the collaboration of the financial services industry -- it successfully executed a coordinated global attack against some of the most harmful Zeus botnets on the planet. The raid was conducted at two nondescript office buildings in Scranton, Pa., and Lombard, Ill. on Friday by Microsoft's legal team and technical personnel. They were accompanied by United States marshals with a warrant in hand.

Microsoft said the raids were made possible through a successful pleading before the U.S. District Court for the Eastern District of New York (Case No. CV 12-1335 (CBA)). And because these Zeus botnets were used to steal personal information, FS-ISAC and NACHA joined Microsoft as plaintiffs in the civil suit, and Kyrus Tech Inc. served as a declarant in the case. Other organizations, including F-Secure, also provided supporting information for the case. The resulting warrant allowed Microsoft and its partners to conduct a coordinated seizure of command and control servers running some of the more highly-offensive Zeus botnets.

"With this action, we’ve disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit. "The Microsoft Digital Crimes Unit has long been working to combat cybercrime operations, and today is a particularly important strike against cybercrime that we expect will be felt across the criminal underground for a long time to come."

Before shutting the command and control servers down, Microsoft and the U.S. Marshals collected virtual evidence to be used against the "John Doe" individuals behind the botnets. They also nuked two IP addresses used by the Zeus command and control structure, and took control of 800 domains which will be monitored to identify thousands of computers infected by the Zeus malware.

Is this the end of Zeus? Far from it. Microsoft had no intention of shutting down the entire Zeus botnet ecosystem. Instead, the raid is expected to damage the cybercriminals' operations and infrastructure. It's also expected to help victims regain control of their PC while accelerating further investigations against those responsible for the Zeus botnet. In other words, Microsoft wants to catch them in the act, and the raid on Friday provided evidence leading them closer to the Zues Botnet King. Boscovich himself even said the sweep was meant to send a message to the criminals behind the botnet operation, that Microsoft is on the prowl.

"As with its previous botnet operations, Microsoft will now use the intelligence gained from this operation to partner with Internet service providers and Community Emergency Response Teams around the world to help rescue people’s computers from the control of Zeus, helping to reduce the size of the threat that these botnets pose and to help make the Internet safer for consumers and businesses worldwide," the company said on Monday. "Together, these aspects of the operation are expected to undermine the criminal infrastructure that relies on these botnets every day to make money and to help provide new tools for the industry to work together to proactively fight cybercrime."

Previously Boscovich, a former federal prosecutor, handled drug, computer and financial crime cases in Miami before taking the role of senior attorney for the Microsoft Digital Crimes Unit. The raid is reportedly his "brainchild," as he came up with the idea to argue with the court that the hackers behind the Zeus botnet were violating Microsoft’s trademarks through fake e-mails they used to spread their malicious software. Clever.

Microsoft uploaded an awesome video covering the actual raids here.