Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Microsoft financial coalition disrupt Zeus botnet
REDMOND, Wash. (3/28/12)--Botnets using Zeus malware to steal from online banking accounts suffered a lightning bolt hit after Microsoft and a coalition of financial industry players took coordinated, global, legal and technical actions last week to disrupt key Zeus botnet command and control servers responsible for the theft of hundreds of millions of dollars.

The action, against the worst known cybercrime operations, was carried out by Microsoft, the Financial Services--Information Sharing and Analysis Center (FS-ISAC) and NACHA, The Electronic Payments Association, with assistance from Kyrus Tech Inc. and F-secure, said the coalition in a press release Sunday.

Microsoft, FS-ISAC and NACHA filed a civil lawsuit in the U.S. District Court for the Eastern District of New York  against 39 John Does and sought to conduct a coordinated seizure of command and control servers running some of the worst known Zeus botnets.

On Friday, escorted by U.S. Marshalls, Microsoft and the co-plaintiffs seized command and control servicers in two hosting locations--BurstNet of Scranton, Pa., and Continuum Data Centers, Lombard, Ill. (USA Today March 26). They seized and preserved data and virtual evidence from the botnets for the court case and took down two Internet Protocol addresses behind the Zeus command and control structure.

Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.

The action is good news for credit unions and other financial institutions plagued with having to reissue debit and credit cards after data breaches by cybercriminal groups, but the problem is far from over.  The actions taken last week caused major disruptions but the Zeus botnets are notorious for their complexity and  adaptability,  and for staying a step ahead of law enforcement. The key value of the actions taken is the information that the actions were able to gather about the criminal operations.

The coalition's action  "disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," said Richard Boscovich, senior attorney for the Microsoft  Digital Crimes Unit.

Once a computer is infected with Zeus, the malware can monitor the victim's online activity and automatically start keylogging (recording every keystroke) when a victim types in the name of a financial institution or e-commerce site.  The criminals then steal personal information for identity theft, to make fraudulent purchases or to access other private accounts.

Since 2007, Microsoft has detected more than 13 million suspected infections of the Zeus malware worldwide, including three million computers in the U.S.  More than $100 million has been stolen in the U.S. the past five years (IDG-News-Service March 26). Microsoft's lawsuit identifies 39 John Does, who use 65 online aliases. ( March 25). Many are identified only by nickname in the suit.

This is the second time Microsoft has conducted physical seizures in a botnet operation, and the first time other organizations have joined as plaintiffs in a legal case on a botnet operation.

It also is the first operation for Microsoft that involved simultaneous disruption of multiple operating botnets in a single action and the first known time it has applied the Racketeer Influenced and Corrupt Organizations (RICO) Act in a consolidated civil case to charge the botnet users.

Unlike Microsoft's previous botnet seizures, the goal of this action was not to permanently shut down all impacted botnets, but to gather intelligence and to undermine the criminal infrastructure that relies on the botnets to make money. It also will provide new tools to fight the cybercrimes, said the coalition's press release. 

The group also made these recommendations to computer users:

  • Use safe practices such as running up-to-date and legitimate computer software, firewall protection and antivirus or antimalware protection.
  • Use caution in surfing the Web and clicking on ads or e-mail attachments that may be malicious.
  • Use free information and malware leaning tools if the computer is suspected to have a malware infection.(See the malware cleaning tools link.)
For businesses looking for information about corporate account takeovers, including those due to malicious software, use the link to a fraud advisory from FS-ISAC, the Federal Bureau of Investigation and the U.S. Secret Service.
Other Resources


News Now LiveWire
.@LACULeague in @DailyComet: #creditunions' "old" benefits attractive to new generation
6 hours ago
At @FTC request, court halts operations of an alleged debt-relief scammer calling itself “FTC Credit Solutions.”
11 hours ago
.@daytondailynews : The secret is out about #creditunions @DayAirCU @CODECreditUnion
11 hours ago
.@CUNA's @Nussle on @SenatorReid :(2of2)On behalf of more than 102M #CU members,I thank him 4 his leadership over the yrs/wish him the best.
13 hours ago
.@CUNA CEO Nussle on Sen. Reid’s decision not 2 seek re-election (1of2): Sen. Reid has a long history of #CU support throughout his career.
13 hours ago