In collaboration with the financial services industry and the US government, Microsoft has dismantled another major malware network, raiding command-and-control servers in Scranton, Pennsylvania and Lombard, Illinois on Friday. Microsoft described the undertaking as its most complex effort against botnets to date, as its target involved cross-industry threats using the Zeus malware family including ZeuS, SpyEye and Ice-IX, which are said to be responsible for nearly half a billion dollars in damages.
Describing the infection, Microsoft said Zeus malware could monitor a victim's online activity and log keystrokes to compromise the credentials of a user's account -- typically those involving financials, such as a bank or store. From there, cybercriminals naturally steal the victim's identity, make fraudulent purchases or pursue other nefarious activities. Microsoft reports that since 2007, it has detected over 13 million suspected infections of the Zeus malware worldwide, including roughly 3 million in the US alone.
Leading up to last Friday's raid, Microsoft and its partners filed suit against 39 "John Does" who have only been named by their online aliases (listed below) and are thought to be involved with the Zeus operation. During the raid, investigators seized servers, data and other evidence involved in the case along with disabling two IP addresses behind the command-and-control centers. Microsoft is currently monitoring 800 domains secured in the operation to help identify and clean infected machines.
Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits and the JabberZeus Crew
"Because of the complexities of these targets, unlike Microsoft's previous botnet operations, the goal of this action was not to permanently shut down all impacted Zeus botnets. However, this action is expected to significantly impact the cybercriminals' operations and infrastructure, advance global efforts to help victims regain control of their infected computers, and also help further investigations against those responsible for the threat," the software giant said, noting that it still has plenty of work to do.
SophosLabs reports that it hasn't seen a significant disruption to Zeus' activities over the last few days, as the malware can be used by any cybercriminals to form new botnets. In its source form, Zeus can be had for free, while other variants are sold in kits for between $700 and $15,000. Folks concerned their system might be affected by Zeus or other botnets can visit Microsoft's Virus and Security Solution Center for more information about malware, including various avenues for cleaning infected machines.