Zombies: brought down by the police to destabilise ZeuS

Working in collaboration with financial institutions, Microsoft has conducted an operation to end botnets that use variants on the ZeuS malware.

Microsoft is continuing to hunt zombies by attacking botnets. These computer networks infected by malware software are under the control of remote attackers, allowing them to conduct malicious actions.

After Waledac, Rustock and Kelihos, Microsoft is now targeting ZeuS through their opération baptisée b71. These botnets use malware from the ZeuS family, with Microsoft targeting them with the help of financial services and computer security companies.

The action is being conducted on both technical and legal fronts with a law suit filed against forty people identified by pseudonyms which are linked to the spread of ZeuS botnets.

Microsoft nevertheless remains guarded about stating that they will dismantle the network. Due to the complexities of ZeuS, the aim isn’t to permanently close botnets but to cause a "strategic disruption" and "cause long term damage" to the cybercriminal organisation which calls on the botnets to benefit financially.

ZeuS is actually a toolbox sold for between 700 and 15 000 dollars on the black market depending on the functions required. Microsoft has indicated that they have detected more than 13 million infections including more than 3 million in the United States.

The malware can for example record your keystrokes to monitor your online activity and obtain user names and passwords which will allow criminals to steal user’s identities. In addition to money withdrawals being made from bank accounts, online purchases may also be made without the user knowing.

Last Friday, Microsoft’s investigators accompanied US Marshalls in the physical seizure of servers used to control actions from hosts situated in Pennsylvania and Illinois. Two IP addresses behind the ZeuS command and control structure were disabled, and 800 domain names belonging to ZeuS were secured.

This raid will also allow for the identification of thousands of computers infected by ZeuS, while helping to learn more about the implicated cybercriminal network.

Just under a year ago, the ZeuS source code was published to the web at a time that it seemed that the network was losing speed. Since the action was conducted by Microsoft, the impact doesn’t appear to be visible for ZeuS in terms of the active domains which saw a fall in late February.

ZeuS is a Windows malware.