It’s a seemingly unending battle. Botnets get put up by bad guys, taken down by good guys and are replaced presumably by either the same or newer bad guys.
But Microsoft’s highly publicized leadership role in last Friday’s take down of several botnets using Zeus malware is being called “unprecedented” — by Microsoft itself.
In a late Sunday blog post following raids in Pennsylvania and Illinois on Friday, Senior Attorney Richard Domingues Boscovich of Microsoft’s Digital Crimes Unit called the latest effort the “most complex” to date. Not only did it involve the Redmond computing giant, but also FS-ISAC (Financial Services – Information Sharing and Analysis Center), NACHA (The Electronic Payments Association) and Kyrus Tech Inc.
The objective, Boscovich writes, was not the permanent shutdown of all of the related botnets, but a “strategic disruption of operations” in order to “cause long-term damage to the cybercriminal organization that relies on these botnets.”
Microsoft says the Zeus malware is keylogger software, recording keystrokes such as passwords for financial institutions. Boscovich says Zeus is especially a concern because it can be purchased as a “crimeware kit” for anywhere between $700 and $15,000. More than 13 million suspected infections have been detected by Microsoft worldwide.
Instead of taking down the botnet as a whole, Boscovich says this action — which began with a civil suit — was designed to sever the command and control structure that enables Zeus botnets. Servers were physically seized, two IP addresses allegedly behind Zeus’ command and control structure were taken down, and 800 domains were secured to help identify Zeus-infected computers.
Microsoft says in a press release that it was the first time multiple botnets were disrupted simultaneously in a single action, and the first known time the Racketeer Influenced and Corrupt Organizations (RICO) Act was applied in a case of this type.
The upshot? “We have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time.”
Boscovich’s entire post is on The Official Microsoft Blog.
Frank Catalano is a regular GeekWire columnist, and is assisting this week while Todd Bishop is off. You can follow Frank on Twitter @FrankCatalano.