Forgot your password?
typodupeerror
Botnet Microsoft News

Microsoft Leads Sting Operation Against Zeus Botnets 114

Posted by samzenpus
from the don't-bot-me-bro dept.
wiredmikey writes "Microsoft, in what it called its 'most complex effort to disrupt botnets to date,' and in collaboration with partners from the financial services industry, has successfully taken down operations that fuel a number of botnets that make up the notorious Zeus family of malware. In what Microsoft is calling 'Operation b71,' Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus."
This discussion has been archived. No new comments can be posted.

Microsoft Leads Sting Operation Against Zeus Botnets

Comments Filter:
  • Congratulations (Score:5, Interesting)

    by Anonymous Coward on Monday March 26, 2012 @08:39AM (#39473475)

    It seems that Microsoft has become a good guy while Apple is rapidly becoming a goat. ... Or have I spoken too soon?

    • by epe (851815)

      sorry but the point, I think, is for microsoft not only to "sting" the servers and finding the infected computers.... what are they doing in order to prevent those computers to become infected? I think the problems should be addressed from several parts.. stinging the command and control will only relief for some time... in a few days or weeks, another virus or trojan will infect pcs again and so on... what is Microsoft doing in order to avoid PCs to be infected.

      • by OldHawk777 (19923) *

        Well it looks like microsoft (corporate) law enforcement is part of USA culture. Today, USA=CSA Corporate States of America.

        The USA government has the organic ability to provide law enforcement muscle domestically and globally.
        The CSA government has the organic ability to provide law enforcement cronyism domestically and globally.
        Together they will shape US and the world accordingly. IOW: Might makes rights

      • Relax, this isn't actually something newsworthy.

        Every month Microsoft crowns itself the obliterator of botnets for some weird reason. All stories are never heard of a few days later.
        Nothing really will change, a publicity stunt is what a publicity stunt is. And if you have to ask... You lost "just because"

    • by WrongSizeGlass (838941) on Monday March 26, 2012 @10:28AM (#39474759)

      It seems that Microsoft has become a good guy while Apple is rapidly becoming a goat. ... Or have I spoken too soon?

      Microsoft didn't just do this to be a "good guy". Microsoft's been able to take this step by arguing that the botnet operators have been violating its trademarks and damaging its reputation [tgdaily.com].

    • by Pope (17780)

      It seems that Microsoft has become a good guy while Apple is rapidly becoming a goat. ... Or have I spoken too soon?

      Let me know when thousands of machines running OS X are being used as C&C servers for botnets. Talk about false equivalency.

      • by nemasu (1766860)
        Well, there are a lot of Apple fanatics that probably would pass as bots. Does that count?
  • by Chrisq (894406) on Monday March 26, 2012 @08:46AM (#39473547)
    As a linux fanboi it sticks in my throat but well done Microsoft.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      I could've written your post myself. I'm no M$ fan, but kudos to them on this one. Now cue the usual Slashdot mob, who'll defend the bot herders, bash Windows security (NO operating system is secure when run a by a person hell-bent & determined to fuck up his own computer) all corporations, and the United States in general...
      • by Ihmhi (1206036)

        It's about as good as PR as any. They coded an OS with more holes than a termite-infested house, lied about making a brand-spanking new one from scratch (Vista), and loads of other fuckups that generally make Windows a security nightmare. So this kinda stuff makes them look tough on Internets crime, when really the best way to solve it would be to make their OS, browser, etc. a hell of a lot safer.

    • Just because you do not like a company's products does not mean you can't applaud their actions or maybe even a product that doesn't suck made by them?

      I do not know anyone who likes all of Microsofts products. Even Windows fanboys hate older IE or Exchange.

      I disliked MS greatly a decade ago and viewed them as dangerous. IE 6 scared the crap out of me and seeing what it would do to interopability of CSS standards. I even wished Apple would have won over Windows a decade ago too. ... fast forward today and we

    • As a linux fanboi it sticks in my throat but well done Microsoft.

      Odd method of typing there...

  • .. now Microsoft takes the servers down completely. As if I haven't got enough problems to get C&C:Generals to play on-line as it is.

  • Remember, these botnets are using the hacked PCs against the owners will, without their knowledge. I don't have a problem with the police seizing the controllers.
    • by eldorel (828471)
      I have a problem with the police/a corporation seizing the computer of some small business that probably had nothing to do with the bot net.

      What if the control servers were still using public IRC servers, should microsoft be allowed to seize freenode?
      What if they were using public services as C&C?
      What about AC slashdot comments , spam messages on blogger, random twitter accounts, or even a .gov?

      Seized equipment disappears for year at a time, and if a business doesn't have IT that can notice a bot
  • by nthitz (840462) on Monday March 26, 2012 @09:05AM (#39473727)
    Scranton PA? Surely those guys over at Dunder Mifflin didn't have anything to do with it!
  • www.youtube.com/watch?v=szhJzX0UgDM

    • www.youtube.com/watch?v=szhJzX0UgDM

      I knew not to check out that link,,, but I just could not help myself and now I scared :(

  • If it only helped... (Score:5, Interesting)

    by Opportunist (166417) on Monday March 26, 2012 @09:24AM (#39473929)

    Have to remain vague to be in accordance of NDAs, but I've been part of such a sting before. On the "good" side, don't get your panties in a knot. It's not as glamorous as it may look at first (it's decidedly NOT like on TV to raid a server hoster). We went in, we cashed in the servers, we went back out, all with the aid of the hoster who, in turn, didn't do anything wrong but was required to cooperate, and did so quite easily. You wave that warrant in front of their nose and they do whatever you want (as long as it's in the warrant, of course).

    Before we had the servers dissected and analyzed, the bot herders rerouted to other controlling servers. It's like playing whack-a-mole. The time wasted to get every kind of evidence collected so everything's in order and you get the necessary paperwork ready is a billion times what's needed for the other side to switch over to new servers. And they know that bloody well.

    Before you get the wrong idea, the solution is NOT to eliminate due process and let me go nuts on every server hoster in the country, seizing servers as I please. This is not going to do any good. Or rather, do more ill than good. The solution is on the client's side. It's trivial to come up with something that can analyze network traffic and identify bot traffic. Of course, such a device has to be under the control of the customer. Not the ISP. The field for abuse is even wider there. Require people to monitor their traffic. Net access is no more a right than the right to drive a car, and here you have to make sure that your car does not cause trouble to other participants in traffic, why should that not apply for the internet?

    This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

    • Of course, such a device has to be under the control of the customer. Not the ISP.

      This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

      So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.

      This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?

      • Good point. An open source solution would probably be best, coupled with a source where you can buy updated botnet identifications.

        The detail should be fleshed out, but I think the idea itself is sound.

      • by Terwin (412356)

        Of course, such a device has to be under the control of the customer. Not the ISP.

        This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

        So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.

        This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?

        Well, to start with, the ISP can cut you off from the internet, possibly with a false allegation.
        The maker of the bot detection box can... stop sending you updates?
        If you have problems with the box, you probably have more choice than with your ISP, not to mention that you can just remove the box from teh loop if it is giving you problems.
        It is much harder to remove your ISP from the loop, particularly when they are the only service provider in your area...

    • tell me how the common bobby quickshot is going to be able to identify botnet traffic from his connection when he's barely literate enough to play farmville on FB? IMO it's become a real crime that MS still can't follow the simple "Deny All" policy and ask the user if they want to allow before allowing anything to happen. Yes it'll teach another bunch of Joe Sixpacks and Bobby Quickshots to simply click O'kay and at that point, the ISP does need to get involved and start isolating these idiots from the gene

      • by JDG1980 (2438906)

        IMO it's become a real crime that MS still can't follow the simple "Deny All" policy and ask the user if they want to allow before allowing anything to happen.

        That's pretty much what UAC already does.

  • The slang term 'sting' means a swindle or fraud. This article doesn't mention any of that - just that Microsoft again seized C&C servers for the botnet. They likely determined which servers were providing C&C for the botnet by good old fashioned detective work, not some elaborate con perpetrated against the operators of the botnet.

    • In law enforcement, a sting operation is a deceptive operation designed to catch a person committing a crime.

      http://en.wikipedia.org/wiki/Sting_operation [wikipedia.org]

      • In law enforcement, a sting operation is a deceptive operation designed to catch a person committing a crime.

        Again, in what way was this a sting? There was no deception involved, at least none that was mentioned in the article. The headline says it was a sting, but nowhere in the article is there any mention of any sort of deception. In fact the article really says nothing at all about how they identified the C&C hosts that were seized. Typically researchers locate C&C servers by analyzing the network traffic to/from a compromised server. How does network analysis equate to deception?

  • ...domains that Microsoft is now monitoring and using to help identify computers infected by Zeus.

    No, really, that's all they're doing. They're not looking at anything else on those computers. They're not using Zeus as a backdoor to access anything else. I promise.

    • by Anonymous Coward

      You realize that what you're suggestion is tens of thousands of felonies, right? Try to control your zealotry and apply some rational thought before posting idiocy like this.

You had mail, but the super-user read it, and deleted it!

Working...