Microsoft, together with partners from the financial services industry, has hit the operators of a botnet running the Zeus Trojan.
Escorted by U.S. Marshals, staff of the companies seized command and control (C&C) servers in two hosting locations — Scranton, Pa. and Lombard, Ill. — and took down two IP addresses related to the C&C structure.
Microsoft is monitoring 800 domains secured in the operation to identify what it says are thousands of computers infected by Zeus.
This is the second time Microsoft has physically seized equipment in an attack on botnet operators. It’s the first time other organizations have joined the vendor as plaintiffs against a botnet operator.
Doing the Right Thing?
“Here we have a rather complex fraudulent scheme in the works for some time to defraud banks and others and infect computers worldwide,” Ray Van Dyke, a Washington, D.C.-based technology and IP attorney, told the E-Commerce Times. “Microsoft’s actions, like those of any other property owner, to protect their property, are not a bad thing.”
Governments are often overwhelmed by the scale and complexity of cybercrime and other forms of intellectual property theft, Van Dyke said. “Microsoft here acted as an interested corporate citizen.”
Microsoft and its partners were within the law in raiding the target locations because “the entire purpose behind civil law is to allow individuals and companies to enforce the law for their own private benefit,” Yasha Heidari, an attorney at the Heidari Power Law Group, told the E-Commerce Times.
Who Did What to Whom and How
FS-ISAC (The Financial Services, Information Sharing and Analysis Center) and electronic payments organization NACHA, jointly filed suit against the suspects in the United States District Court for the Eastern District of New York.
FS-ISAC and NACHA joined in because the botnet operators used Zeus to steal victims’ online banking credentials and transfer stolen funds.
FS-ISAC is a nonprofit private organization developed and owned by financial institutions that shares information about threats to physical and cybersecurity among them. NACHA manages the development, administration and governance of the Automated Clearing House (ACH) network, which constitutes the backbone for moving funds and data electronically.
This is the first operation for Microsoft that involved the simultaneous disruption of multiple operating botnets in one action. It’s also the first known time the Racketeer Influenced and Corrupt Organizations (RICO) Act has been used as the legal basis in a civil case to charge those accused of being responsible for operating a botnet.
“RICO allows you to charge all of the actors in one legal proceeding,” Richard Boscovich, senior attorney with the Microsoft Digital Crimes Unit, told the E-Commerce Times. It also “underscores the organized nature of the criminal operation.”
Charges were filed against 39 John Does — meaning unnamed plaintiffs — in the case.
RICO, Si; Suave, No
The RICO Act is a U.S. federal law that provides for extended criminal penalties and a civil cause of action against acts performed as part of an ongoing criminal action.
It allows the leaders of a syndicate to be tried for the crimes that they instructed others to perform, closing off a loophole that organized crime leaders employed by distancing themselves from crimes they had ordered carried out.
Under RICO, members of an enterprise who have committed any two of 35 crimes within a 10-year period can be charged with racketeering. If found guilty, they can be fined up to US$25,000 and sentenced to 20 years in prison per count of racketeering. Further, the convicted racketeers must forfeit all ill-gotten gains and interest in any business gained through a pattern of racketeering activity.
RICO also lets private individuals harmed by the actions of a racketeering enterprise to file civil suits against them. If the suit’s successful, the plaintiffs can collect treble damages.
“Because this is a civil case, the burden of proof is less than for a criminal case,” the Power Law Group’s Heidari commented. “The defendants will not, however, receive any jail time.”
“RICO is a high-end attack on organized criminal activities which, with the Zeus network, is warranted,” Van Dyke stated.
Microsoft’s legal action does not rule out the later filing of criminal charges by legal authorities.
“We always leave the door open to criminal referral of these civil cases when appropriate,” Microsoft’s Boscovich said. “Several of the charges we have filed will easily translate into criminal violations.”
Zeus, a God of Malware
Security experts widely regard Zeus as a highly dangerous form of malware.
First identified in 2007, it has become one of the most widespread forms of malware. Zeus botnets are estimated to include nearly 4 million PCs in the United States alone.
In 2010, 56 people were arrested in the United States and the UK in an international operation against attacks using Zeus.
Cybercriminals have created several variants of Zeus. Listings for some variants of the Zeus botnet are available on this Microsoft Web page.
“All computer users would benefit by eliminating or suppressing the malicious use of software in our computers,” Van Dyke said.