Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Leads Sting Operation Against Zeus Botnets

Posted by samzenpus on from the don't-bot-me-bro dept.

wiredmikey writes "Microsoft, in what it called its 'most complex effort to disrupt botnets to date,' and in collaboration with partners from the financial services industry, has successfully taken down operations that fuel a number of botnets that make up the notorious Zeus family of malware. In what Microsoft is calling 'Operation b71,' Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus."

59 of 114 comments (clear)

  1. Congratulations by Anonymous Coward · · Score: 5, Interesting

    It seems that Microsoft has become a good guy while Apple is rapidly becoming a goat. ... Or have I spoken too soon?

    1. Re:Congratulations by epe · · Score: 1

      sorry but the point, I think, is for microsoft not only to "sting" the servers and finding the infected computers.... what are they doing in order to prevent those computers to become infected? I think the problems should be addressed from several parts.. stinging the command and control will only relief for some time... in a few days or weeks, another virus or trojan will infect pcs again and so on... what is Microsoft doing in order to avoid PCs to be infected.

    2. Re:Congratulations by jelle · · Score: 1

      Bastards!

      But he won anyway, because he learned a valuable lesson about Microsoft...

      --
      --- Hindsight is 20/20, but walking backwards is not the answer.
    3. Re:Congratulations by WrongSizeGlass · · Score: 3, Funny

      It seems that Microsoft has become a good guy while Apple is rapidly becoming a goat. ... Or have I spoken too soon?

      Microsoft didn't just do this to be a "good guy". Microsoft's been able to take this step by arguing that the botnet operators have been violating its trademarks and damaging its reputation .

    4. Re:Congratulations by OldHawk777 · · Score: 1

      Well it looks like microsoft (corporate) law enforcement is part of USA culture. Today, USA=CSA Corporate States of America.

      The USA government has the organic ability to provide law enforcement muscle domestically and globally.
      The CSA government has the organic ability to provide law enforcement cronyism domestically and globally.
      Together they will shape US and the world accordingly. IOW: Might makes rights

      --
      Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
    5. Re:Congratulations by justforgetme · · Score: 1

      Relax, this isn't actually something newsworthy.

      Every month Microsoft crowns itself the obliterator of botnets for some weird reason. All stories are never heard of a few days later.
      Nothing really will change, a publicity stunt is what a publicity stunt is. And if you have to ask... You lost "just because"

      --
      -- no sig today
    6. Re:Congratulations by nemasu · · Score: 2

      Well, there are a lot of Apple fanatics that probably would pass as bots. Does that count?

      --
      I made an app! Shoutium
  2. Re:Physical Seizures? by Anonymous Coward · · Score: 1

    Welcome to America, where the state is a Corporation

  3. As a linux fanboi it sticks in my throat but.. by Chrisq · · Score: 5, Insightful

    As a linux fanboi it sticks in my throat but well done Microsoft.

    1. Re:As a linux fanboi it sticks in my throat but.. by Anonymous Coward · · Score: 2, Insightful

      I could've written your post myself. I'm no M$ fan, but kudos to them on this one. Now cue the usual Slashdot mob, who'll defend the bot herders, bash Windows security (NO operating system is secure when run a by a person hell-bent & determined to fuck up his own computer) all corporations, and the United States in general...

    2. Re:As a linux fanboi it sticks in my throat but.. by amiller2571 · · Score: 1

      The only problem is, for every botnet they take down two more will take it place. That or the ones they take done will just come back up some where else.

    3. Re:As a linux fanboi it sticks in my throat but.. by hjf · · Score: 1, Insightful

      With that attitude, why do you shower? you're going to get dirty again. why do you eat? You'll get hungry again. Why do you live? Kill yourself now, you're going to die anyway.

    4. Re:As a linux fanboi it sticks in my throat but.. by Billly+Gates · · Score: 1

      Just because you do not like a company's products does not mean you can't applaud their actions or maybe even a product that doesn't suck made by them?

      I do not know anyone who likes all of Microsofts products. Even Windows fanboys hate older IE or Exchange.

      I disliked MS greatly a decade ago and viewed them as dangerous. IE 6 scared the crap out of me and seeing what it would do to interopability of CSS standards. I even wished Apple would have won over Windows a decade ago too. ... fast forward today and we see how evil Apple is. MS never was that insane with suing competitors and taking products off of the market. Google is already introducing quirks in javascript and adding their own web standards and in no doubt in my mind would turn Chrome into their IE 6 with scripting and apis instead of CSS subversion.

      Every company is only evil if there is no competition. MS today doesn't scare me and I do like some of their products. I am typing this on Chrome, but IE 9 is a decent browser and nothing like 6 and I do like Excel, Powerpoint, and .NET.

      You can still hate the company but love some of their products or applaud their actions when they are no longer a monopoly force to be reckoned with.

      --
      http://saveie6.com/
    5. Re:As a linux fanboi it sticks in my throat but.. by Billly+Gates · · Score: 1

      MS has cleaned up their OS and made it secure.

      The issue is its users *ahem* corporate america *ahem* who still use 10 year old operating systems. You know the ones who say on slashdot its fine so why upgrade?

      Then get all mad that the OS is insecure when it was released in 2001.

      Windows 7 has DEP, ASLR, and sandboxing in IE 8/IE 9. Firefox does not even support sandboxing yet which is why I quit using it a year ago when 4.0 came out. In many ways Windows 7 is the most secure OS out there today. If you bash it try something recent. ... PS in 2001 Linux required you to be root in order to use your modem to dial into the internet to use Netscape. Gee, that is not a security threat. LOL.

      I did not know as much about computers then as today but I knew that was definitely not right and bad. Linux has not done that in 10 years, but since you are comparing a 10 year old version of Windows I will compare it to a version of Linux from that time frame.

      --
      http://saveie6.com/
    6. Re:As a linux fanboi it sticks in my throat but.. by eldorel · · Score: 1

      PS in 2001 Linux required you to be root in order to use your modem to dial into the internet to use Netscape

      I'm not sure where you got this idea, but no, it didn't.

      Perhaps some distributions did, but I was using gentoo and redhat on my laptop at that time and neither one required root to dial.

    7. Re:As a linux fanboi it sticks in my throat but.. by interkin3tic · · Score: 1

      As a linux fanboi it sticks in my throat but well done Microsoft.

      Odd method of typing there...

    8. Re:As a linux fanboi it sticks in my throat but.. by amiller2571 · · Score: 1

      I never said that we should not try and stop them. I'm only pointing out that what we are doing now is not working.

  4. Re:Physical Seizures? by Anonymous Coward · · Score: 5, Informative

    The US Marshals performed the seizures. Did you not RTFA?

  5. Re:Physical Seizures? by Anonymous Coward · · Score: 1

    A corporation did not seize private property. The government did: http://www.zeuslegalnotice.com/images/TRO_Seizure_Order_Part_1.pdf

    Keep the tinfoil handy though!

  6. Re:Physical Seizures? by Anonymous Coward · · Score: 1

    Well it says they had US Marshals with them. In the same was as a bank can come with the local Sheriff to repossess a home from folks that haven't been paying. It isn't even an issue; it is the way this stuff works. It is interesting that you think it is an issue though. Would you - as a private party or as an agent of a corporation - want to send a Marshal or Sheriff to get some item without having your representative on scene to be sure it was the right item and that it wasn't damaged?

  7. Re:Physical Seizures? by Anonymous Coward · · Score: 1

    You know how you can punch someone in the face and then they can sue you to take all your stuff? That's how. The people running these things are causing damage to Microsoft and its customers. A better question is why is this question asked every time Microsoft takes down a botnet?

  8. Re:Physical Seizures? by poetmatt · · Score: 1

    I wouldnt' doubt that it'd be that hard to get a warrant in this case with microsoft helping to gather the information.

  9. Re:Physical Seizures? by Nyder · · Score: 5, Informative

    TFA:

    Microsoft has conducted physical seizures

    Since when can a CORPORATION perform seizures of private property???

    When it gets a court order and has proper officials (in this case, US Marshals) with them, like it appears happened.

    --
    Be seeing you...
  10. Re:Physical Seizures? by rednip · · Score: 1

    Since when can a CORPORATION perform seizures of private property???

    Maybe the warrant was written that way, or perhaps the authorities used them as specialists. However, as tow truck drivers seize private property every day, I suspect that it's not as big of a hurdle as you believe.

    --
    The force that blew the Big Bang continues to accelerate.
  11. Re:First by alphatel · · Score: 1

    First

    Your botnet proxy was surely seized for your post to be so not first.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  12. Re:Physical Seizures? by Nyder · · Score: 1

    Welcome to America, where the state is a Corporation

    Welcome to the United* Corporations of America.

    *United only in the idea that people live to make them profits.

    --
    Be seeing you...
  13. Great, first EA makes it difficult... by deroby · · Score: 2

    .. now Microsoft takes the servers down completely. As if I haven't got enough problems to get C&C:Generals to play on-line as it is.

    --
    If there is one thing to be learned on slashdot, it has to be sarcasm.
  14. Botnets steal your computer by jfdavis668 · · Score: 1

    Remember, these botnets are using the hacked PCs against the owners will, without their knowledge. I don't have a problem with the police seizing the controllers.

    1. Re:Botnets steal your computer by eldorel · · Score: 1

      I have a problem with the police/a corporation seizing the computer of some small business that probably had nothing to do with the bot net.

      What if the control servers were still using public IRC servers, should microsoft be allowed to seize freenode?
      What if they were using public services as C&C?
      What about AC slashdot comments , spam messages on blogger, random twitter accounts, or even a .gov?

      Seized equipment disappears for year at a time, and if a business doesn't have IT that can notice a botnet, what makes you think they have backups?

  15. Dunder Mifflin? by nthitz · · Score: 5, Funny

    Scranton PA? Surely those guys over at Dunder Mifflin didn't have anything to do with it!

    1. Re:Dunder Mifflin? by BetaDays · · Score: 1

      Dwight coordinated everything between MS and local law enforcement.

      --
      Paul: Father... father, the sleeper has awakened! - Dune
  16. Re:Physical Seizures? by Anonymous Coward · · Score: 2

    The operation is the second time Microsoft has conducted physical seizures in a botnet takedown operation, and is the first known time the Racketeer Influenced and Corrupt Organizations (RICO) Act has been applied as the legal basis in a consolidated civil case to charge all those responsible in the use of a botnet.

    There ya go, lazy-ass AC.

  17. Re:Physical Seizures? by Oswald+McWeany · · Score: 5, Funny

    I probably shouldn't be admitting this online- but I am part of Microsoft's counter-terror department. We are a highly trained SWAT team that risks our life daily raiding LINUX farms. Our safety demands daily communication using Windows phones; it is one of the most dangerous jobs in the country.

    We are highly trained in many ways to take on any situation needed. Even take out the Prez if he threatens to sign any bill that would not be favourable of Microsoft. We constantly run into our major foe, Apple, and fight hand-to-hand combat in the street and the patent office.

    After announcing this initiative, I am in grave danger. Within a few weeks I will be tracked by other operatives by the GPS on my windows phone... if the battery doesn't die first.

    --
    "That's the way to do it" - Punch
  18. Operation B 52's ... by yvesdandoy · · Score: 1

    www.youtube.com/watch?v=szhJzX0UgDM

    1. Re:Operation B 52's ... by amiller2571 · · Score: 1

      www.youtube.com/watch?v=szhJzX0UgDM

      I knew not to check out that link,,, but I just could not help myself and now I scared :(

  19. Re:Physical Seizures? by jellomizer · · Score: 1

    I don't think there is a rule expressing that an outside entity can do the search, if they enter with the appropriate Warrent. I mean we can have Private Investigators do searches, it would make sense when investigating digital data that law enforcement brings experts to let them know what to look for. Otherwise you get a bunch of cops tare a building apart and not really know what to use and what to ignore.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  20. Re:Physical Seizures? by amiller2571 · · Score: 1, Informative

    Microsoft and its co-plaintiffs, escorted by U.S. Marshals

    It also contains this :P

  21. Flashback. by andrea.sartori · · Score: 1

    ...old news? http://yro.slashdot.org/story/11/03/18/1228227/microsoft-conducts-massive-botnet-takedown-action

    --
    Mostly harmless.
  22. If it only helped... by Opportunist · · Score: 5, Interesting

    Have to remain vague to be in accordance of NDAs, but I've been part of such a sting before. On the "good" side, don't get your panties in a knot. It's not as glamorous as it may look at first (it's decidedly NOT like on TV to raid a server hoster). We went in, we cashed in the servers, we went back out, all with the aid of the hoster who, in turn, didn't do anything wrong but was required to cooperate, and did so quite easily. You wave that warrant in front of their nose and they do whatever you want (as long as it's in the warrant, of course).

    Before we had the servers dissected and analyzed, the bot herders rerouted to other controlling servers. It's like playing whack-a-mole. The time wasted to get every kind of evidence collected so everything's in order and you get the necessary paperwork ready is a billion times what's needed for the other side to switch over to new servers. And they know that bloody well.

    Before you get the wrong idea, the solution is NOT to eliminate due process and let me go nuts on every server hoster in the country, seizing servers as I please. This is not going to do any good. Or rather, do more ill than good. The solution is on the client's side. It's trivial to come up with something that can analyze network traffic and identify bot traffic. Of course, such a device has to be under the control of the customer. Not the ISP. The field for abuse is even wider there. Require people to monitor their traffic. Net access is no more a right than the right to drive a car, and here you have to make sure that your car does not cause trouble to other participants in traffic, why should that not apply for the internet?

    This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:If it only helped... by jojoba_oil · · Score: 1

      Of course, such a device has to be under the control of the customer. Not the ISP.

      This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

      So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.

      This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?

    2. Re:If it only helped... by Opportunist · · Score: 1

      Good point. An open source solution would probably be best, coupled with a source where you can buy updated botnet identifications.

      The detail should be fleshed out, but I think the idea itself is sound.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:If it only helped... by fast+turtle · · Score: 1

      tell me how the common bobby quickshot is going to be able to identify botnet traffic from his connection when he's barely literate enough to play farmville on FB? IMO it's become a real crime that MS still can't follow the simple "Deny All" policy and ask the user if they want to allow before allowing anything to happen. Yes it'll teach another bunch of Joe Sixpacks and Bobby Quickshots to simply click O'kay and at that point, the ISP does need to get involved and start isolating these idiots from the general net as some are doing. The big question there is "Will this help?" IDK & IDC so long as it keeps them from spamming me.

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    4. Re:If it only helped... by JDG1980 · · Score: 1

      IMO it's become a real crime that MS still can't follow the simple "Deny All" policy and ask the user if they want to allow before allowing anything to happen.

      That's pretty much what UAC already does.

    5. Re:If it only helped... by Terwin · · Score: 1

      Of course, such a device has to be under the control of the customer. Not the ISP.

      This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

      So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.

      This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?

      Well, to start with, the ISP can cut you off from the internet, possibly with a false allegation.
      The maker of the bot detection box can... stop sending you updates?
      If you have problems with the box, you probably have more choice than with your ISP, not to mention that you can just remove the box from teh loop if it is giving you problems.
      It is much harder to remove your ISP from the loop, particularly when they are the only service provider in your area...

    6. Re:If it only helped... by CannonballHead · · Score: 1

      And everyone clicks "Allow" anyways :)

    7. Re:If it only helped... by bws111 · · Score: 1

      Nonsense. You have a right to free speech, that is true. You do not have a right to access your preferred method of making your speech. For instance, you have no 'right' to broadcast on radio or TV.

  23. Re:Physical Seizures? by Rogerborg · · Score: 5, Funny

    Ah, so you have a Windows phone! Now we just need to figure out who the other guy is.

    --
    If you were blocking sigs, you wouldn't have to read this.
  24. Re:Physical Seizures? by sattu94 · · Score: 1

    Aaahh..
    So you've probably faced the man with the long beard and two katanas? You probably have, you cant miss his friend with the red cape in the balloon.

  25. Re:Microsoft CAUSES botnets by hjf · · Score: 4, Interesting

    I had a linux server owned (rootkitted, had to reinstall completely), and it became part of a spam sending botnet.

    So, fuck you.

  26. Re:Microsoft CAUSES botnets by Errtu76 · · Score: 1

    You should've updated your system, check logfiles, run chkrootkit on a regular basis etc. Else, you're no better than people running unpatched Windows desktops.

  27. Re:Physical Seizures? by adisakp · · Score: 1

    Even take out the Prez if he threatens to sign any bill that would not be favourable of Microsoft.

    Microsoft has a British Counter-Terror Department?

  28. Re:Physical Seizures? by Oswald+McWeany · · Score: 1

    My cover is as a British person.

    --
    "That's the way to do it" - Punch
  29. Re:In what way is this a 'sting'? by MadMaverick9 · · Score: 1

    In law enforcement, a sting operation is a deceptive operation designed to catch a person committing a crime.

    http://en.wikipedia.org/wiki/Sting_operation

  30. Re:Microsoft CAUSES botnets by hjf · · Score: 1

    Whoossshh...

  31. Re:In what way is this a 'sting'? by Iphtashu+Fitz · · Score: 1

    In law enforcement, a sting operation is a deceptive operation designed to catch a person committing a crime.

    Again, in what way was this a sting? There was no deception involved, at least none that was mentioned in the article. The headline says it was a sting, but nowhere in the article is there any mention of any sort of deception. In fact the article really says nothing at all about how they identified the C&C hosts that were seized. Typically researchers locate C&C servers by analyzing the network traffic to/from a compromised server. How does network analysis equate to deception?

  32. Re:Physical Seizures? by snobody · · Score: 1

    When they are escorted by U.S. Marshals, presumably with a valid search warrant.

  33. Re:'Monitoring' by Anonymous Coward · · Score: 1

    You realize that what you're suggestion is tens of thousands of felonies, right? Try to control your zealotry and apply some rational thought before posting idiocy like this.

  34. Re:BS by Kalriath · · Score: 1

    Not elevated at all - bots only need to get in at the user level, and a moron can just as easily infect a Linux machine in the same way. The problem is the users, not the OS.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  35. Re:Physical Seizures? by kmoser · · Score: 1

    When non-government representatives set foot on what is essentially an alleged crime scene, they could tamper with the evidence and/or taint the crime scene (even inadvertently). Having LEO on the scene is no guarantee this won't happen.