Microsoft completes operation to seize critical Zeus and Spy Eye command and control servers

Microsoft announced today that it had successfully executed a seizure of command control servers that has caused critical disruption for the Zeus and Spy Eye botnet. The Zeus Trojan is a computer infection that quietly sits on an infected computer while monitoring keystrokes in order to steal banking information. Once banking information is obtained, it transmits the login credentials to the remote cybercriminals who then use that information to transfer the infected user's money to accounts under their control. It is estimated that there are over 13 million computers worldwide, with approximately 3 million in US, are infected with this malware. There are also estimates that over $70 million dollars have been stolen via this malware.

On March 23rd, Microsoft in collaboration with the Financial Services Information Sharing and Analysis Center (FS-ISAC), The Electronic Payments Association (NACHA), and Kyrus Tech Inc were escorted by U.S. Marshals to seize control of command & control servers for this banking infection. The servers were located in hosting locations in Scranton, Pa. and Lombard, Ill. This is the second time Microsoft has been involved in a disruption of the Zeus botnet and the first time Microsoft had collaborated with other organizations as part of this take down.

The analysis of these servers will allow Microsoft and its partners to further determine how many and which computers are infected. This information can then be shared with Internet Service Providers and consumer watchdogs to help alerts users that these infections are located on their computer. With information sharing and education, Microsoft hopes to undermine, if not eliminate, the criminal infrastructure behind the Zeus and Spy Eye organization.

Chalk one up for the good guys!

Scranton? Wow that's right in my backyard

Excellent work, it's refreshing to hear when one of these gets kicked out.

Thank you Grinler for this information. I agree with Andrew.

Cast

Both me and my wife bank at Chase. We have seperate accounts. I had to reset my banking password and she needed a new card. Chase won't give an explaination. I wonder if it's connected.

It's very possible that information sharing by MS is causing this to happen.

I have to assume if the people examining the data are able to determine specific accounts that have been compromised that they would share this info with the appropriate people.

How are the notifications going to be sent out? I hope not through email, or we're about to get a new wave of computers to remove malware from. I've just gotten our office into the habit of not trusting half the email they receive. This might set us back again.

I don't know why this hadn't been done years before when these rogue programs first popped up. The adage of "follow the money" and then taking away their money-laundering ability would destroy the profitability of fraudware/scareware/scamware, thus reducing their creation/use.

Most of the time these criminals operate in countries that don't have the same perspective on cybercrime as the USA does.

Yeah, you can say that again. No wonder people are leary of any .ru or .su domain. .Su more so than .Ru, but both make people nervous, I think. I always watch out for them. From the blogs and feeds that I receive every day, it seems that most malware is born in russia. Correct me if I'm wrong though. But on the side, as I train to be an administrator of Microsoft technologies my self, I look forward to the day when I'm in the job, and who knows, maybe I'll be asked to seize a server or two. Nice going, Microsoft! And hopefully, there actually is the disruption that Microsoft hopes there will be. it seems that things don't seem to want to slow down even with this.