In the recent seizure of botnet-powering servers, Microsoft is using a new strategy to try to lure the masterminds of the illicit network to reveal their identities.
Under the escort of U.S. Marshals, members of Microsoft's digital crime unit seized Friday servers in offices in Lombard, Ill., and Scranton, Pa. The raid stemmed from a civil lawsuit Microsoft and two industry groups filed against the botnet operators, who remain unidentified.
The botnet consisted of 13 million computers infected with the Zeus family of malware, including 3 million computers in the U.S., according to court papers. Operators of the network are believed to have stolen more than $100 million from financial institutions and other businesses since 2007.
The operation marked the first time Microsoft did not shutdown the operation. In a dramatic shift in tactics, Microsoft decided to keep the system running in order to gather evidence for law enforcement and to try to trick the masterminds into identifying themselves.
"Valuable evidence and intelligence gained in the operation will be used both to help rescue peoples’ computers from the control of Zeus, as well as in an ongoing effort to undermine the cybercriminal organization and help identify those responsible," Richard Boscovich, senior attorney for Microsoft's digital crime unit, said Tuesday in an e-mail sent to CRN.
The Zeus malware tracks a computer user's online activity and records keystrokes, so it can steal the user name and password when a victim visits an online banking site. Variants of the malware used in the botnet included SpyEye and Ice-IX.
In another first for the latest seizure, Microsoft invoked the Racketeer Influenced and Corrupt Organizations Act. The RICO act is used in cases against organized crime. While no arrests have been made, Microsoft and the other plaintiffs in the lawsuit believe an organization of criminals is behind the botnets.
Microsoft was joined in the suit by the Financial Services Information Sharing and Analysis Center, a nonprofit formed by financial institutions to fight cybercrime, and the NACHA Electronics Payments Association, which manages the network for electronic payments, such as direct deposits and funds transfers.
The latest operation was the fourth high-profile botnet takedown led by Microsoft's Project MARS (Microsoft Active Response for Security) initiative. The previous operation shuttered the Kelihos botnet, which at its peak commandeered 41,000 computers and distributed more than 3.8 billion spam a day.