Microsoft smashes Zeus and SpyEye botnets with giant RICO bat

Microsoft did it again. Their Digital Crimes Unit in Redmond, Washington, has used technical monitoring and tracking, along with court authorized asset seizure to target botnets driven by Zeus.

Codenamed Operation b71, Microsoft worked with the Financial Services – Information Sharing and Analysis Center (FS-ISAC), the NACHA (the organization that manages the ACH network used by financial institutions everywhere), malware experts from F-Secure, and the U.S. Marshals in order to accomplish their tasks.

Escorted by the Marshals, Microsoft visited two data centers last Friday, one in Scranton, Pa., and the other in Lombard, Ill., in order to seize command and control (C&C) servers, and take down two IP addresses associated with the Zeus family of botnets, including SpyEye and Ice-IX.

Moreover, Microsoft was given access to 800 domains in order to help identify victims and move the investigation forward. This is the fourth time Microsoft has used the courts to target and takedown a massive botnet. Previous actions targeted the Waledac, Rustock and Kelihos botnets.

“With this action, we’ve disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims,” said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit.

The Zeus botnet, later forked into SpyEye and Ice-IX, is blamed for more than $500 million in fraudulent financial transactions. Since 2007, Microsoft has detected more than 13 million suspected infections of the Zeus malware worldwide, including approximately 3 million computers in the United States alone.

The way Microsoft went about things is what makes the take down interesting. On March 19, Microsoft filed a suit against John Does 1-39, asking the court for permission to sever the command and control structures of these Zeus botnets.

Given that the organizers behind Zeus operate as a organized group, Microsoft was able to apply the Racketeer Influenced and Corrupt Organizations (RICO) Act in the case as the legal basis for this operation.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” explained Richard Domingues Boscovich, the senior attorney for the MS DCU.

“Cybercriminals are in this for the money and this action was an unprecedented strike against the illicit infrastructure on which they rely. The operation will help further investigations against those responsible for the threat and help us better protect victims.”

Legal documentation in the case can be found at

Like this article? Please share on Facebook and give The Tech Herald a Like too!