Microsoft Can Retain Control of Zeus Botnet Under Federal Court Order

A federal court grants Microsoft permission to keep two major Zeus banking fraud botnets down for the next two years to allow more time to clean up trojan-infected computers.

Microsoft won a court order on Nov. 28 to allow the company and its financial-services partners to continue to administer command-and-control servers for two Zeus botnets that had been shut down by the company's legal and technical campaign in March 2012.

The motion for a default judgment, which was granted by the U.S. District Court in the Eastern District of New York, gives Microsoft and the National Automated Clearing House Association (NACHA) an injunction that allows the companies to keep the two Zeus botnets and their associated domains disabled for another 24 months. The original takedown, codenamed Operation b71, seized command-and-control servers in Pennsylvania and Illinois and disrupted the online-fraud networks.

"This additional time will allow Microsoft to continue to work with Internet service providers and Computer Emergency Response Teams (CERTs) to clean those computers that are still infected with the malware," Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit, said in an email interview.

Zeus is perhaps the best known of a class of programs known as banking trojans, designed to silently compromise a victim's computer and allow an attacker to record banking credentials and piggyback on the user's online financial sessions to steal money. Overall, Zeus is an infection framework that allows attackers to create malware and spread it using spam campaigns. In addition, the toolkit includes server software to manage the resulting network of compromised machines or botnet.

The takedown effort appeared to have a substantial impact on the spread of Zeus as the foundation of cyber-criminals botnets: Attempts at infecting systems with Zeus fell by more than half to 336,000 for a single week in June, from 780,000 for a week in early March.

Other successes have been minor. On July 2, the company publicly identified two of the defendants, Yevhen Kulibaba and Yuriy Konovalenko, but had discovered that they are currently serving jail time in the United Kingdom for convictions related to the Zeus malware. In total, only four of the 39 defendants originally named in the lawsuit have been identified.

Over the past three years, Microsoft has used a combination of civil lawsuits and technical takedowns to disrupt the operations of four botnets: Waledac in Operation b49, Rustock in Operation b107, Kelihos in Operation b79, and then the Zeus in the latest operation.

The most successful takedown may have been the shuttering of the Rustock botnet, which led to a sustained drop in spam levels. A year after the takedown, for example, spam had dropped to 100 million messages per day, from 150 million at the time of the takedown, according to messaging-security firm Commtouch.

Microsoft is not the only company pursuing the takedown of botnets, but the software giant is the only one to use legal tactics as a significant component of its strategy. Security firm FireEye, for example, called for the takedown of the Grumm botnet, but relied on the goodwill of authorities in other nations to aid in the shuttering of the network's command-and-control servers.