Apr. 30, 2012
Microsoft Corp. used a trio of legal tools last month to raid an alleged cybercrime operation that had been using the infamous Zeus virus to steal funds and data from the financial-services industry, the software giant disclosed on Monday. The raids, which Microsoft and partner organizations first announced March 25, involved the seizure of host servers operating in Lombard, Ill., and Scranton, Pa., and disrupted what was said to be networks of zombie-like computers infected with malware and pumping out tens of millions of phishing e-mails.
Speaking about the operation publicly for the first time, Microsoft senior attorney Richard Boscovich said the raids, which involved the cooperation of U.S. Marshals, have allowed the company to track contacts from infected machines and inform the relevant Internet service providers so the devices can be “cleaned.” Such networks of computers, known as botnets, often operate to spread malware and record keystrokes without the knowledge or cooperation of the machines’ owners. They typically check in with, or “ping,” servers operated by cybercriminals in so-called command-and-control centers such as those raided in March.
Working in cooperation with NACHA, the governing organization for the automated clearing house network, and the Financial Services Information Sharing and Analysis Center (FS-ISAC), Microsoft as a private company employed several methods borrowed from the civil law to attack the Zeus botnets, Boscovich said on Monday at a payments conference in Baltimore sponsored by NACHA. These included an ex parte temporary restraining order, the Lanham Act, and the Racketeer Influenced and Corrupt Organizations (RICO) Act. The Lanham Act, which regulates trademarks, allowed the Microsoft-led group to seize the botnet domains on the grounds that they were infringing on the marks of NACHA, FS-ISAC, and others in phishing attacks, Boscovic said. NACHA and FS-ISAC are plaintiffs along with Microsoft in a civil suit against the botnet operators raided last month.
The case also featured the first known use of RICO in a civil case against a botnet. “We wanted to see if we could use a civil RICO approach,” Boscovic said on Monday at a press conference.
As a result of the action, NACHA has seen a 90% reduction in the volume of phishing e-mails using its name, said Jan Estep, the organization’s president and chief executive. That volume had reached some 11.5 million e-mails weekly before the raid, she said, as measured by the number of such e-mails blocked by spam filters. Altogether, the group interfered with command-and-control centers controlling some 3.5 million infected computers.
Boscovic was careful to characterize the action as a “disruption” rather than as what he called a “complete kill.” The criminals behind the botnets could refashion the networks, but will find the effort much more expensive since they will have to re-code their software. “We wanted to disrupt their business model, increase their cost of doing business,” he said. “Every time we do this, it’s going to be more expensive for them to code.”
SPECIAL FEATURERead Digital Transactions Online