Microsoft Retains Control of Zeus

Tuesday, December 4, 2012 @ 04:12 PM gHale

Microsoft won a court order to allow the company and its financial-services partners to continue to administer command-and-control servers for two Zeus botnets shut down by the company’s legal and technical campaign in March 2012.

The motion for a default judgment, granted Nov. 28 by the U.S. District Court in the Eastern District of New York, gives Microsoft and the National Automated Clearing House Association (NACHA) an injunction that allows the companies to keep the two Zeus botnets and their associated domains disabled for another 24 months.

Opera Site Serving Malvertising
Malware Alert: USB Smart Readers
New Java Attack in Exploit Kit
Malware with Terms of Service Pact

The original takedown, codenamed Operation b71, seized command-and-control servers in Pennsylvania and Illinois and disrupted the online-fraud networks.

“This additional time will allow Microsoft to continue to work with Internet service providers and Computer Emergency Response Teams (CERTs) to clean those computers that are still infected with the malware,” said Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit.

Zeus is perhaps the best known of a class of programs known as banking Trojans, designed to silently compromise a victim’s computer and allow an attacker to record banking credentials and piggyback on the user’s online financial sessions to steal money. Overall, Zeus is an infection framework that allows attackers to create malware and spread it using spam campaigns. In addition, the toolkit includes server software to manage the resulting network of compromised machines or botnet.

The takedown effort appeared to have a substantial impact on the spread of Zeus as the foundation of cyber-criminals botnets: Attempts at infecting systems with Zeus fell by more than half to 336,000 for a single week in June, from 780,000 for a week in early March.

Other successes have been minor. On July 2, the company publicly identified two of the defendants, Yevhen Kulibaba and Yuriy Konovalenko, but had discovered that they are currently serving jail time in the United Kingdom for convictions related to the Zeus malware. Officials have identities of only four of the 39 defendants originally named in the lawsuit.

Over the past three years, Microsoft has used a combination of civil lawsuits and technical takedowns to disrupt the operations of four botnets: Waledac in Operation b49, Rustock in Operation b107, Kelihos in Operation b79, and then the Zeus in the latest operation.

The most successful takedown may have been the shuttering of the Rustock botnet, which led to a sustained drop in spam levels. A year after the takedown, for example, spam had dropped to 100 million messages per day, from 150 million at the time of the takedown, according to messaging-security firm Commtouch.

Leave a Reply

You must be logged in to post a comment.