Ungodly Battle: Microsoft Versus Zeus
March 26, 2012

Ungodly Battle: Microsoft Versus Zeus

Lawrence LeBlond for RedOrbit.com

Software giant Microsoft, working closely with the United States Marshals Service, launched what it is calling its ℠most complex effort to disrupt botnets to date,´ seizing hundreds of web addresses in an attempt to bring down Zeus-based botnets.

According to a New York Times report, US marshals raided offices in Pennsylvania and Illinois on Friday, March 23, to shut down servers and obtain evidence for a civil suit Microsoft brought against several bot-herders and their botnets.

To initiate the search and seizure, Microsoft effectively argued that the botnet operators have been violating its trademarks and damaging its reputation. This marks the software company´s fourth large takedown measure.

Botnets rely on an army of compromised personal computers to funnel personal data to bot-herders as unsuspecting victims browse the Web. Botnets are also used as a tool for bringing down websites, with botnet operators offering to overload pages with a constant stream of traffic -- known as distributed denial of service attacks (DDOS) -- by remotely controlling infected PCs.

The infections are often prompted by spam emails that invite users to click on a purportedly safe link from a site, such as Microsoft. Although the email and the sites the links point to may look legitimate, right down to the very last detail, these are malicious attempts by scammers to take control of your computer, stealing data and turning it into a spamming weapon.

The decision to use civil action rather than simply report the cases was made by Richard Boscovich, federal prosecutor turned senior lawyer in the digital crimes unit at Microsoft. He devised a unique legal strategy to fortify the growing number of civil suits Microsoft is bringing against bot-herders.

Boscovich also argued that those operators behind the botnets were violating Microsoft´s trademarks through false emails they used to spread their malicious software. He said the Friday seizure was meant to send a blunt message to criminals behind the scheme, whose identities remain unknown.

“We´re letting them know we´re looking at them,” Boscovich said, according to NY Times reporters Nick Wingfield and Nicole Perlroth, after participating in the raid at a Scranton, Pennsylvania address.

Before Friday´s raid, Microsoft had attacked three botnets in the past few years using civil suits. In each of those cases, Microsoft obtained court orders that permitted it to seize Web addresses and computers associated with the botnets without first notifying owners of such property. Microsoft maintained the secrecy was necessary to prevent criminals from re-establishing new communications links to their infected host computers.

Although such measures have not eradicated the problem, some security experts believe Microsoft´s tactics have been effective to a degree.

“Taking the disruption into the courthouse was a brilliant idea and is helping the rest of the industry to reconsider what actions are possible, and that action is needed and can succeed,” Richard Perlotto, director at the data tracking service Shadowserver Foundation, told NY Times.

However, both Perlotto and Microsoft have said they did not see civil legal action against people who commit these online crimes as a replacement for law enforcement action, which usually results in harsher penalties.

“We equate this to a neighborhood watch,” Boscovich said.

The Zeus botnets targeted by Microsoft in its latest takedown efforts offer their botnet code for sale to others, and, depending on the level of customer support and customization of the code that clients require, charge between $700 and $15,000 for the software, according to Microsoft in its lawsuit filed in federal court in Brooklyn on March 19.

Selling their codes have made Zeus botnets harder to combat. Most of them are aimed at perpetrating financial scams against online victims. These online criminals hire people known as money mules to travel to different countries to set up bank accounts so they can receive transfers of stolen money from victims´ accounts, Microsoft said in its suit.

Microsoft added that the Zeus botnets have been responsible for the theft of more than $100 million from victims since 2007 and that 13 million computers were infected with some form of the software associated with it.

Because of the financial fraud involved, Microsoft garnered support from two financial industry associations -- the Financial Services Information Sharing and Analysis Center and the National Automated Clearing House Association -- both of which filed court declarations endorsing Microsoft´s Friday search.

Microsoft said it does not believe the operators of the facilities raided on Friday, which rent space to clients on computers connected to the Internet, are closely associated with those behind the botnets. And the operators at the facilities said they had no idea their equipment was being manipulated by the Zeus botnet.

“It´s very difficult, unless they draw attention to themselves, to pick up on it,” said Joe Marr, chief technology officer of BurstNet Technologies, the facility in Scranton that Microsoft entered Friday.

The evidence gathered in the operation “will be used both to help rescue peoples´ computers from the control of Zeus, as well as in an ongoing effort to undermine the cyber criminal organization,” Boscovich said.

Microsoft said that, while the action won´t totally exterminate the Zeus botnet, it has disrupted some of the most harmful ones and it should have a significant impact on cyber criminals for quite some time.

“Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets,” Boscovich noted. “Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cyber criminal organization that relies on these botnets for illicit gain.”