Score another point for Microsoft. The Redmond, Wash.-based software powerhouse announced late Sunday night that it had taken down several of the most damaging botnets connected to the powerful Zeus banking Trojan.
In what it described as its “most complex effort to date,” the Microsoft Digital Crimes Unit, in collaboration with the United States Marshals and several financial organizations including Financial Services—Information Sharing and Analysis Center, NACHA—The Electronic Payments Association and Kyrus Tech, aligned to coordinate an "unprecedented, proactive cross-industry operation” to disrupt several of the botnets related to the Zeus family of malware.
The effort, known as Operation b71, focused on Zeus, SpyEye and Ice-IX variants of the Zeus family, which to date have caused the greatest amount of financial harm worldwide—somewhere in the neighborhood of $500 million in damages, by Microsoft's estimations.
And this time, the effort seemed to work. The icing on the cake, which followed a months-long investigation, came March 23 when Microsoft used the long arm of the law to take down two IP addresses behind the Zeus ‘command and control’ structure, while simultaneously monitoring 800 domains used to identify thousands of Zeus-infected computers.
The highly lucrative, and seemingly indestructible Zeus Trojan, has made a name for itself over the last several years because of its ability to stealthily infiltrate and pilfer funds from users' banking sessions via keylogging, which records a user's keystrokes to access login credentials, impersonate users and withdraw money from their account. Once a computer is infected with Zeus, the malware automatically starts keylogging when a person types in the name of a financial or e-commerce institution, which gives cyber criminals a clear path into the user's session from that day forward.
The Zeus banking Trojan was especially destructive due to the fact that it was sold as a crimeware kit, which enabled cybercriminals to try their hand at botnet operation and establish new command and control servers to create their own “personalized” Zeus botnets. The kit sold from anywhere between $700 to $15,000, depending on the version and types of added features, according to Microsoft.
Altogether, Microsoft estimated the malware infected more than 13 million machines around the world, three million of those being in the U.S.
Taking a page from the Waledac, Rustock and Kelihos takedowns, the company filed a lawsuit earlier this month asking the court for permission to shut down the command and control servers of the Zeus botnets, citing the Lanham Act, used to physically seize servers from hosting providers, and the well-established Racketeer Influenced and Corrupt Organizations Act, which maintained that Zeus was controlled by highly organized criminal network, as the legal basis for the motion.
So does this mean curtains for Zeus? Well, maybe. Microsoft said that the operation almost certainly wielded some fatal blows against the notorious botnet. But although severely crippled, some Zeus botnets remain alive—at least for the time being.
“We don’t expect this action to have wiped out every Zeus botnet operating in the world,” wrote Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, in a company blogpost. “However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time. Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely.”
The fact that Zeus variants are still kicking might be a tad disconcerting, considering that researchers are not entirely certain how many remain in operation or how their owners will regroup. But, in light of the fact that some of the world's most malevolent threats have been put out of commission, it's a solid bet that the protracted assault will be just what's needed to secure the botnet's place in the history books.