Microsoft and others Friday disrupted Zeus keylogging malware networks.
Online computer networks controlled by cybercriminals and used to spread Zeus keylogging malware—which is designed to steal credit card account numbers, passwords and other information used in fraudulent online financial transactions —were disrupted Friday by Microsoft Corp. and financial industry groups following an investigation that spanned several months, Microsoft reported.
The action resulted in the seizure of “command and control” Internet network servers in Scranton, PA, and Lombard, IL, that had been used by criminals to spread Zeus malware through networks of compromised computers, or botnets. “With this legal and technical action, a number of the most harmful botnets using the Zeus family of malware worldwide have been disrupted,” Richard Domingues Boscovich, senior attorney, Microsoft Digital Crimes Unit, said in a post yesterday on Microsoft’s news blog.
Microsoft collaborated in the investigation with two financial industry groups, the Financial Services-Information Sharing and Analysis Center, and NACHA-The Electronics Payments Association, and security technology company Kyrus Tech Inc.
Boscovich said the investigation, code-named Operation b71, focused on botnets using multiple variants of the Zeus family of malware, including Zeus, SpyEye and Ice-IX. These Zeus variants are considered to be responsible for having caused the most harm to Internet users, resulting in nearly $500 million in damages, he said. Zeus malware is particularly troublesome, he added, because cyber criminals can purchase software kits through the black market to build their own Zeus botnets. The kits sell for anywhere from $700 to $15,000, he said.
Microsoft and its collaborators in the investigation filed a lawsuit on March 19 in U.S. District Court for the Eastern District of New York, and secured permission to seize the computer systems used by Zeus cybercriminals. The suit cited trademark violations under the federal Lanham Act, contending that criminals violated Microsoft’s trademarked names by sending fake e-mails; the suit also applied the federal Racketeer Influenced and Corrupt Organizations Act, or RICO, to pursue a consolidated case against everyone associated with the targeted Zeus operation, Boscovich said.
U.S. Marshals on Friday escorted personnel from Microsoft and the two financial industry groups to seize the Zeus botnet servers in Scranton and Lombard.
Internet security experts have said interruptions of botnet operations are typically temporary because cybercriminals usually then develop new botnets. Boscovich, however, said the recent action should have an unusually long-term effect.
“We don’t expect this action to have wiped out every Zeus botnet operating in the world,” he said in his blog post. “However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time.”
Still, some security experts are skeptical. “This was definitely significant, but how significant no one knows yet,” says Avivah Litan, an Internet security analyst with technology research and advisory firm Gartner Inc. “It’s way too early to tell.”
Microsoft offers free malware cleaning tools at http://support.microsoft.com/botnets that can help people remove Zeus and other malware from their computers.
E-commerce site security will be addressed at the Internet Retailer Conference & Exhibition in June by Sean Leach, a vice president at VeriSign, in a session titled “How to be ready when large scale attacks hit your site.”
The IRCE $200 early-bird discount expires March 31!