This is the fourth high-profile takedown operation in Microsoft’s Project MARS (Microsoft Active Response for Security) initiative. Earlier operations included successful actions against the Waledac, Rustock and Kelihos botnets.
Stuart Aston, Microsoft UK’s chief security advisor explained the significance. “Zeus is notorious for using keylogging,” he told Infosecurity, “a technique that allows the botnet operator to monitor people’s online activity and gain access to usernames and passwords in order to steal identities, withdraw money, and make online purchases. Experts believe these botnets are responsible for nearly half a billion dollars in damages. Valuable evidence and intelligence gained in the operation will be used both to help rescue people’s computers from the control of Zeus, as well in an on-going effort to undermine the cybercriminal organization and help hold those responsible accountable for their actions.”
The sheer scale of the operation is astounding. Thirty-nine defendants are ‘named’ by their online nicknames: the first three being the creators of Zeus, Ice-IX and SpyEye. On Friday, Microsoft and US Marshals took physical control over Zeus command and control servers in two hosting locations in the US, and took down two IP addresses. Microsoft is currently monitoring 800 domains used by the Zeus botnets in order to identify infected users. The intention then will be to liaise with relevant ISPs to help those users remove the infection. “With this legal and technical action,” Stuart Aston told Infosecurity, “a number of the most harmful botnets using the Zeus family of malware worldwide have been disrupted in an unprecedented, proactive cross-industry operation against this cybercriminal organization.”
The legal effort required to justify and co-ordinate such a wide-ranging operation is extensive. It includes a 50 page support declaration from Microsoft’s Mark Debenham (a senior manager of investigations in Microsoft’s Digital Crimes Unit) that in turn includes a detailed analysis of Zeus, its structure, its use, the damage it causes, and the way it defends itself – and that “since 2007, Microsoft has detected suspected infections on 13,730,116 end-user computers.” It also includes, as Exhibit 1, a letter of support from Francis Maude, Minister for the Cabinet Office and Paymaster General in the UK. In this letter Maude describes the effect of Zeus in the UK. “In one example from late 2011,” he says, “Zeus malware attempted to propagate and infect computers on over 50 Government networks...” With this supporting letter, said Aston, “we were able to show harm outside just the United States and this was a significant factor in our case.”
Reaction from the wider security industry has been ‘up-beat’. “Really good news,” said Luis Corrons of Panda Security. “We all should be very grateful to Microsoft for this operation against Zeus botnets.” “Anything that hurts ZeuS-related operations gets a cheer from me,” added ESET’s David Harley. But the reality is, although in Harley’s words this is ‘a significant win’, Zeus is not completely going away anytime soon. “Let’s hope that with the information found in the seized servers cybercriminals can be carried to justice,” said Corrons, “as otherwise it is only a matter of time until they strike back.” “If nothing else,” adds Trend Micro’s Rik Ferguson, “this indictment serves as a graphic illustration of the maturity of the criminal business model.”
“We don’t expect this action to have wiped out every Zeus botnet operating in the world,” writes Richard Domingues Boscovich, senior attorney with the Microsoft Digital Crimes Unit. “However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time.” It will also help an unknown number of infected users, currently unaware that their computers are secretly harboring Zeus, to get clean.