Cybercriminals suffered a serious setback on Friday, when command-and-control servers running some of the most notorious Zeus botnets were seized by authorities. Accompanied by U.S. Marshals and working in collaboration with partner organizations in the financial services industry, Microsoft raided hosting locations in Scranton, Pa., and Lombard, Ill., seizing servers and IP addresses associated with at least 800 domains. The raid was codenamed Operation b71.
Zeus is one of the most prolific forms of malware on the Internet today. Available on the black market as a cybercrime toolkit, Zeus is used by hackers to infect Windows PCs with keylogger software that is designed to capture users' confidential financial information. Each network (or "botnet") of infected computers transmits the stolen data back to the hackers via a command-and-control server.
"With this action, we've disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, said in a statement.
According to Microsoft, the company has detected over 13 million suspected Zeus infections worldwide since 2007. While there are multiple variants of Zeus in existence today, the Microsoft-led raid focused on the core Zeus, SpyEye, and Ice-IX variants that the company says may already have caused $500 million in damages.
The concern over Zeus is widespread in the security industry. VeriSign's iDefense security business unit recently identified the Zeus botnet as one of the top cyber security trends of 2011. A major reason: Over the course of the last year, Zeus has evolved into an open source crimeware kit.
"We've always seen a steady evolution of new techniques and tactics by malware authors," said Rick Howard, General Manager of Verisign iDefense. "But the fact that the owner of Zeus released it to the wild, means that now it's out there and every malware author on the planet can learn from it."
Howard noted that any malware author can now put Zeus-like functionality into their own code. He expects that a large amount of malware this year will converge on the same capabilities that are included in Zeus.
In terms of Zeus malware itself, Howard noted the difference between Zeus variants and Zeus augmentations.
"There are people that just take a copy of Zeus and maybe tweak it a little bit for their own purpose and that stuff will be picked up by antivirus engines, so that's the good news," Howard said. "The bad news are the augmentations, where malware authors research Zeus and then just take the functionality and put it in their own malware."
Howard warned that Zeus augmentations are more difficult for antivirus software vendors to detect and prevent.
"There is no silver bullet here," Howard said. "Antivirus catches up eventually for the new augmentations, but they won't be good out of the box. Zeus is a unique event, only because it is one of the most efficient and effective pieces of malware out there and it's available to anybody."