Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
Microsoft financial coalition disrupt Zeus botnet
REDMOND, Wash. (3/28/12)--Botnets using Zeus malware to steal from online banking accounts suffered a lightning bolt hit after Microsoft and a coalition of financial industry players took coordinated, global, legal and technical actions last week to disrupt key Zeus botnet command and control servers responsible for the theft of hundreds of millions of dollars.

The action, against the worst known cybercrime operations, was carried out by Microsoft, the Financial Services--Information Sharing and Analysis Center (FS-ISAC) and NACHA, The Electronic Payments Association, with assistance from Kyrus Tech Inc. and F-secure, said the coalition in a press release Sunday.

Microsoft, FS-ISAC and NACHA filed a civil lawsuit in the U.S. District Court for the Eastern District of New York  against 39 John Does and sought to conduct a coordinated seizure of command and control servers running some of the worst known Zeus botnets.

On Friday, escorted by U.S. Marshalls, Microsoft and the co-plaintiffs seized command and control servicers in two hosting locations--BurstNet of Scranton, Pa., and Continuum Data Centers, Lombard, Ill. (USA Today March 26). They seized and preserved data and virtual evidence from the botnets for the court case and took down two Internet Protocol addresses behind the Zeus command and control structure.

Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.

The action is good news for credit unions and other financial institutions plagued with having to reissue debit and credit cards after data breaches by cybercriminal groups, but the problem is far from over.  The actions taken last week caused major disruptions but the Zeus botnets are notorious for their complexity and  adaptability,  and for staying a step ahead of law enforcement. The key value of the actions taken is the information that the actions were able to gather about the criminal operations.

The coalition's action  "disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," said Richard Boscovich, senior attorney for the Microsoft  Digital Crimes Unit.

Once a computer is infected with Zeus, the malware can monitor the victim's online activity and automatically start keylogging (recording every keystroke) when a victim types in the name of a financial institution or e-commerce site.  The criminals then steal personal information for identity theft, to make fraudulent purchases or to access other private accounts.

Since 2007, Microsoft has detected more than 13 million suspected infections of the Zeus malware worldwide, including three million computers in the U.S.  More than $100 million has been stolen in the U.S. the past five years (IDG-News-Service March 26). Microsoft's lawsuit identifies 39 John Does, who use 65 online aliases. (PCWorld.com March 25). Many are identified only by nickname in the suit.

This is the second time Microsoft has conducted physical seizures in a botnet operation, and the first time other organizations have joined as plaintiffs in a legal case on a botnet operation.

It also is the first operation for Microsoft that involved simultaneous disruption of multiple operating botnets in a single action and the first known time it has applied the Racketeer Influenced and Corrupt Organizations (RICO) Act in a consolidated civil case to charge the botnet users.

Unlike Microsoft's previous botnet seizures, the goal of this action was not to permanently shut down all impacted botnets, but to gather intelligence and to undermine the criminal infrastructure that relies on the botnets to make money. It also will provide new tools to fight the cybercrimes, said the coalition's press release. 

The group also made these recommendations to computer users:

  • Use safe practices such as running up-to-date and legitimate computer software, firewall protection and antivirus or antimalware protection.
  • Use caution in surfing the Web and clicking on ads or e-mail attachments that may be malicious.
  • Use free information and malware leaning tools if the computer is suspected to have a malware infection.(See the malware cleaning tools link.)
For businesses looking for information about corporate account takeovers, including those due to malicious software, use the link to a fraud advisory from FS-ISAC, the Federal Bureau of Investigation and the U.S. Secret Service.
Other Resources

RSS print
News Now LiveWire
Even 1 step makes a difference in preparing for disasters #creditunions #NewsNow http://t.co/eFUmMJnIwA
7 hours ago
From today's @USATODAY front page, a shout out to #CreditUnions courtesy of @CUNA http://t.co/881vLPeECN
8 hours ago
Happy anniversary to the ATM! 45 years of self-service cash HT @GOBankingRates http://t.co/ycsm3GFwk5
10 hours ago
.@USATODAY print edition features #creditunion membership march to #100mm. Zoom in on lower left hand corner #NewsNow http://t.co/Xv8fyX7ces
10 hours ago
No special assessment for ASI member #creditunions in 2014. See #NewsNow http://t.co/NwL9eJwbiQ
11 hours ago