Microsoft takes down servers engaged in the ZeuS banking Trojan botnets
March 26, 2012
A Microsoft-led security operation resulted in the takedown of core servers used in the now infamous ZeuS and SpyEye banking Trojan botnets on March 23.
After months of investigation that culminated in the coordinated seizure of command-and-control servers associated with the botnets and hosted in Scranton, Pennsylvania, and Lombard, Illinois, Microsoft has confirmed today that the botnets are down for good and do not represent any threats anymore.
The action comes after Microsoft filed a lawsuit against no less than thirty-nine unnamed parties on March 16, asking for permission to sever the command-and-control structures of these ZeuS botnets. The action follows the same tactics as previous successful takedowns of Waledac, Rustock and Kelihos spam-distribution botnet networks back in 2010.
In a public statement, Microsoft described the ZeuS takedown as its most complex to date. It said the action had the "limited and achievable" aim of disrupting the operations of ZeuS-related cybercrime operations rather than decapitating a zombie network, as in previous security operations and takedowns.
Overall, cybercriminals have designed and built hundreds of botnets using variants of the ZeuS malware. For this action – codenamed Operation B-71, Microsoft focused initially on botnets using ZeuS, SpyEye and Ice-IX variants of the ZeuS family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in overall damages.
Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here wasn't the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.
By definition, ZeuS and SpyEye are essentially cybercrime toolkits for the creation of customised banking Trojans. Those crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the malware. Many cybercrime gangs use ZeuS as the launchpad for banking fraud so there are many different zombie networks at play here and at any given time.
In the last year, Microsoft has detected more than 13 million suspected infections of ZeuS and SpyEye-related malware worldwide, with more than 3 million in the United States alone. The malware is designed to infect the Windows operating system and some of its user software such as Office and Outlook.
Friday's takedown action follows months of work by investigators at Microsoft in co-operation with officers from the Financial Services, the Security Information Sharing and Analysis Center (SFS-ISAC), the National Automated Clearing House Association and the U.S. electronic payments association.
Net security firm F-Secure is credited with providing a major help in analyzing the malware that features in the operation. U.S. Federal Marshals accompanied security investigators in the raids on two hosting companies, during which servers were seized for subsequent analysis.
Microsoft's statement fails to clarify this point but other reports strongly suggest the hosting firms involved were unwittingly playing host of the key infrastructure resources associated with the ZeuS botnets rather than acting as accomplices in cybercrime.
The operations resulted in the dismantling of two IP addresses behind the ZeuS ‘command-and-control’ structure. Microsoft has started monitoring 800 domains secured in the operation, helping it to identify thousands of ZeuS-infected computers.
In other internet security news
Security experts testifying at hearings held by the U.S. Senate Armed Services Committee on internet security have repeatedly warned that maintaining a perimeter protection to keep out cyber spies is unsupportable, and that the United States should assume that its networks have already been fully penetrated, when they may have not.
"We've got the wrong mental model here," said Dr James Peery, director of the Information Systems Analysis Center at Sandia National Laboratories. "I don't think that we could keep spies out of our country. We've got this model for cyber security that says, 'We're going to develop a system where we're not attacked.' I think that we have to go to a model where we assume that the adversary is in our networks," he said.
"It's on our computers and servers, and we've got to operate anyway," said Peery. The committee heard that the U.S. Department of Defense (DoD) operates over 15,000 computer networks with about seven million computing devices, and protecting them against hacking was virtually impossible, particularly in light of the increasing complexity of both the devices themselves and the software that runs on them.
The commercial software industry has, of course, realized that the old idea of a perimeter defense is increasingly useless, and groups such as the Jericho Forum have been working on systems to protect data, rather than network boundaries for many years.
Such principles might be a bit blurry to the military mind, but Dr Kaigham Gabriel, current head of the DARPA Group said that the cost of perimeter control would be huge and most likely ineffective at any rate.
"Modern computer systems today will demand the effective use of cyber, kinetic, and the combined cyber and kinetic means," he suggested. "The shelf-life of cyber tools and capabilities is short-– sometimes measured in just a few days. To a greater degree than in other areas of Defense, cybersecurity solutions require that the DoD develops the ability to build quickly, at scale, and over a broad range of capabilities."
Overall, cyber arms races are all well and good, but the head of research at the National Security Agency (NSA) Dr Michael Wertheimer warned that the U.S. is also facing an increasing intelligence gap, as not enough citizens have the skills of online defense.
A bit less than two years ago, there were just 726 computer science PhDs awarded to U.S. citizens, and only 64 of them signed up for government work.
In other internet security news
London's Metropolitan Police Service said this morning that it will use software designed in the 80s to help coordinate the command and communications of its policing operations during the 2012 Summer London Olympic Games in the United Kingdom.
Better known as MetOps, the software in question is currently installed in the force's special operations room (SOR), the central control room providing communications support during more than 500 major incidents and events each year, according to a report by London's police into the riots of August of last year.
MetOps, a messaging and recording system wasn't designed for dynamic incident management, and it means that commanders and police officers have no method to view in real-time the latest situation during an evolving incident, the report says.
The aging MetOps software also system means that it isn't linked directly to the other programs used in the force's central communications center known as the computer aided dispatch (CAD) system.
"This can result in the central communications centre being totally unaware of what is being dealt with within SOR, and conversely SOR being unaware of what is being dealt with through the CAD system," says the report.
The system's serious limitations contributed to a number of issues during the August 2011 riots, the report found, including the inability to monitor key incidents, slow communication with commanders on the ground, the lack of capability to hand over command to the oncoming team and the total inability to log key decisions for future review.
"These significant limitations coupled with the sheer scale of various tasks around the flow of information, communication and coordination of resources posed an immense challenge for those within SOR, particularly on August 8, 2011" the document says.
The process of replacing MetOps is under way and the force has also proposed some temporary solutions, including a new GIS system which is being trialled to assist with the coordination of resources. The Met is also considering adopting software currently used with live crime investigations for SOR.
The questions that are raised now is why did London's police wait until the last minute when they had a whole year to evaluate, plan and design modern software that would have prevented last year's riots. And one of the other question that is being asked now is: will the new software be ready in time for the Olympics which are less than four months from now? And it can take up to a year to fully test drive such complex software once it's available.
The Met's report also highlights the use of CCTV during disturbances. While the document says CCTV proved to be critical to the investigation of offences committed during the riots, it also says that there were significant challenges because of the sheer volume of footage, an estimated 200,000 hours, that had to be thoroughly examined.
The police's response to social media is also examined in the report, which notes that a digital communications steering group has been set up by the Met in response to its struggle to monitor social media in real time during the riots. The group wants to use social media to help the police understand what is going on in the community.
In other internet security news
The U.S. Department of Homeland Security has officially shut down and disabled a domain name registered outside of the United States by individuals who are not American citizens, and who registered with a Canadian registrar.
However, what's truly unique about this particular case is that the U.S. authorities didn't get the domain's registrar to seize the domain. Instead, they ordered Verisign, which manages all .com domains and had them void the DNS root records for the domain, essentially rendering it useless and non-operational.
And the domain in question --bodog.com-- has been in trouble in the past more than once. Bodog happens to be a big name in online gambling everywhere and as such, it became an attractive target for many who are seeking to stop U.S. citizens gambling online.
When we typed bodog.com in a browser today, it brought us to a page that said the U.S. Department of Homeland Security and the DoJ have seized the domain and rendered it useless.
It was set up and run by Canadian billionaire Calvin Ayre. He, and three others involved with the site, have been indicted on several counts and could be extradited to the United States if the authorities can catch them, and they most likely will.
The indictment filed accuses the four individuals of violation of Maryland laws. The site spent a lot of time and effort talking about the money it made outside of the U.S., and took particular offence to the hiring of advertisers to promote internet gambling on a wide scale, according to court documents.
"Sports betting is illegal in Maryland and a few other states, and federal law prohibits bookmakers from breaking that law simply because they are located outside the U.S.," said attorney Rod Rosenstein in a statement.
The indictment in question claims that Bodog paid out over $100 million in winnings to U.S. gamblers, in violation of U.S. laws. The company is also accused of spending $42 million to promote the site in various U.S. states, including Maryland.
The move came after an undercover investigation by the FBI, and with the help of a whistleblower who used to work at Bodog.
And Calvin Ayre isn't a sympathetic character at all. He knew full well the laws of the various countries and states he marketed his website in, and certainly had the technological capability to at least make the attempt to block residents of countries in which online gambling is illegal from accessing his website, but instead decided to do nothing.
"I see this as abuse of the U.S. criminal justice system for the commercial gain of large corporations. But it is clear that the online gaming industry is legal under international law," Ayre said in a blog posting.
By going to the root manager of all .com domains and having the records void, in effect bypassing the domain registrar entirely, the DHS has sent the web a very clear and loud message-- anything hosted in the U.S., registered in the U.S., or using a domain whose root is controlled by a U.S. corporation is subject to American law. End of the story.
Expect to see a big push from non-American internet service providers of all stripes and colors capitalizing on this event to make "not hosted in America" a major selling point. Indeed, it already is. If your website relies on a .com, .net, .org or other American-controlled domain, and you are not an American company, it may be time to revisit that strategy. All of a sudden, .com domains may have depreciated in value a bit with this event.
You can link to the Internet Security web site as much as you like.