Microsoft Fights Back Against Zeus Malware Ring

A collaborative effort between Microsoft, the Financial Services – Information Sharing and Analysis Center (FS-ISAC), Kyrus Tech. Inc., and NACHA – The Electronic Payments Association, has put a major dent into the armor of cybercriminals involved in the Zeus banking malware ring.

According to a press release from Microsoft, the software giant, along with its partners, solicited the help of the U.S. Marshals on March 23 to seize Zeus command-and-control servers in charge of delivering malware updates, issuing commands, and stealing data in Lombard, Illinois, and Scranton, Pennsylvania.  The active servers were seized on the premises of the two hosting companies before their owners could attempt to destroy the evidence.  Microsoft was allowed to overtake 800 domains used by the Zeus servers and two IP addresses used to advance the operation were also dismantled.  Microsoft called the bust, which was part of its efforts to eradicate pushers of global fraud and identity theft, “an unprecedented, proactive cross-industry action.”

Named after the king of Greek gods, Zeus made its way onto computers using different methods crafted by cyberthieves.  Some used phishing emails to trick users into downloading malicious executable files.  Others used drive-by downloads that exploited outdated browser versions and which automatically began once users visited infected sites.  Cybercriminals stand to gain massive financial rewards through the Zeus Trojan by logging the keystrokes of unsuspecting victims or form-grabbing while they enter sensitive financial info via their infected computers.

In order to launch their Zeus-related schemes, Microsoft claims criminals would purchase enhanced versions of the malware to develop their own private botnets.  Kits containing the Zeus Trojan would reportedly fetch hefty retail prices ranging from $700 all the way up to $15,000.  The substantial price tags were well worth the money, as the top three variants of Ice-IX, SpyEye, and Zeus managed to cause over $500 million in damages in the United States alone.  As an example of the malware’s profitability for crime rings, 48 people were charged in the United States and the United Kingdom in 2010 for using the Trojan to bilk British banks of approximately $10 million.  Since 2007, Microsoft estimates the detection of over 13 million Zeus infections worldwide.

As for the perpetrators, Microsoft and the other organizations involved filed summons with the U.S. District Court for the Eastern District of New York against 39 John Does suspected of partaking in Zeus attacks.  A closer look at the official court documents reveals a lengthy list of over 3,300 malicious domain names associated with the Zeus infrastructure spread across 35 registrars.  The locations of the registrars span countries all around the world, including Austria, Colombia, Iran, Italy, the Netherlands, Russia, and the United Kingdom.

While Microsoft’s successful raid does not mean the end for cybercriminals and the Zeus Trojan, the company firmly believes it is a huge step in the right direction to counteract online fraud.  Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, described the raid and its effect: “We took down two IP addresses behind the Zeus ‘command and control’ structure. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.” 

Boscovich continued: “We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time.  Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims.”  

Commenting on the importance of the bust, Rik Ferguson of security firm Trend Micro said: “Of course, cybercrime is bigger than just 39 people.  But if nothing else, this indictment serves as a graphic illustration of the maturity of the criminal business model … let’s hope that this continued focus and international cooperation across the security and law enforcement communities can eventually make a significant dent in their illegal operations.”

Although the threat posed by Zeus and other banking malware cannot be denied, Microsoft said the goal of the raid was not to completely eliminate the Trojan at this time.  Rather, the company said it hoped to “undermine the criminal infrastructure that relies on these botnets every day to make money.”  The Zeus banking Trojan is still running wild, but Microsoft’s venture should help victims gain control over their computers once again and promote the prosecution of the cyberthieves involved in the attacks.

Some remain cautiously optimistic, however.  Jose Nazario, a senior security researcher with security firm Arbor Networks, said, “You can take out a botnet, but unless you take down the coders and put the clients behind bars, they’re just going to go ahead and do this again.”

For more on this topic, visit and

[gp-comments width="770" linklove="off" ]