03/26/2012

Zeus Botnet Sting Lead by Microsoft

The good guys are always happy to see when there's any positive action towards stopping a botnet--particularly when the action is strong, like Microsoft's "Operation b71."

SecurityWeek.com has a great story of the Microsoft Zeus Botnet Sting. As you might expect, there's a lot of cooperation between different companies and agencies needed to take out this kind of thing.

Here's the guts of the takedown story,
Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois.

"The move, which Microsoft said was its 'most complex effort to disrupt botnets to date,' was to seize and preserve data and evidence from the botnets to use in a case against multiple botnet operators.

"In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.
What caught my eye here was the scope of the botnet operation. Eight HUNDRED domains.

Figure if the domains cost $5-$10 each, the domain names alone cost $4,000 - $8,000, so there's no doubt if the bad guys are spending that kind of dough just on the domain names, they're making real cash from the botnet.

As much as most people would hate to admit it, it is a business. (It's a business most of us wouldn't touch with the proverbial ten foot pole, but it is a business.)

Unfortunately, it's not the end of Zeus. Not even close. Was it a setback for the operators? Yes. The end? No.

Just how nasty is the Zeus Botnet? Here's a quote from the current Wikipedia page:
While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain - stealing online credentials such as FTP, email, online banking, and other online passwords.
In other words, the bad news is, it's meant to give the bad guys total control of your PC.

The good news is, antivirus programs are able to prevent, detect, and remove the threat.

The one other bit of bad news though is that even though antivirus software can detect and remove the bot, it's very, very hard to tell if you've been infected without the latest software and signatures.

In other words, because it's such a well-designed bot, if you're not running up-to-date antivirus protection, chances are you'd never even know your PC had been infected. To the bad guys credit, it's a very well designed piece of software and is known for its clever design and stealth.

If you're so inclined to learn about the legal proceedings, full details are at: www.zeuslegalnotice.com.