Microsoft to keep control of two Zeus botnets for two years

In March, Microsoft launched what it called "Operation b71" where it teamed up with US law enforcement officials to execute raids on two botnet command-and-control server locations. The botnets were the center of an operation that was collecting information from thousands of infected PCs, using variants of the Zeus malware program.

The two main servers, one in Illinois and the other in Pennsylvania, have been under Microsoft's control since the raid in March, along with 800 domains. Now, eWeek.com reports that Microsoft will be able to keep control of the botnets for the next two years.

Microsoft was granted its request for more time to control those servers by a federal court earlier this week. Richard Boscovich, the senior attorney for Microsoft's Digital Crimes Unit, stated, "This additional time will allow Microsoft to continue to work with Internet service providers and Computer Emergency Response Teams (CERTs) to clean those computers that are still infected with the malware."

Zeus was created to infect PCs and then use keyloggers to obtain usernames and passwords from those computers. The information is then sent "back home" to the two aforementioned servers. Microsoft's raid and subsequent control of these servers seems to have cut down the number of PCs infected with the malware by about half.

Microsoft has been going after quite a few botnet operations in the past year and a half, including shutting down the Rustock botnet in 2011 and the Nitol botnet in September of 2012.

Source: eWeek
Zeus image via Shutterstock

Report a problem with article
Previous Story

PC makers defend their Windows 8 sales numbers

Next Story

Start your engines: Official NASCAR Windows 8 app launched

14 Comments

Will they actually be allowed to remotely clean those PCs? I presume that is the intention. How have they already achieved a drop by half of infected machines? I am curious but can find little information about this.

paul0544 said,
Will they actually be allowed to remotely clean those PCs? I presume that is the intention. How have they already achieved a drop by half of infected machines? I am curious but can find little information about this.

Nope, it's illegal to do that. xD

paul0544 said,
Will they actually be allowed to remotely clean those PCs?

why not? MSE and any other AV product automatically quarantines/deletes virus's/trojans and is constantly updated with signatures of any new ones.

Unless they are remotely cleaning/informing users of infection.... why would they want to keep these servers running?! ...why not just shut them down?!

GreatMarkO said,
Unless they are remotely cleaning/informing users of infection.... why would they want to keep these servers running?! ...why not just shut them down?!

It didn't say they were going to keep them running. Just keep them. They could be studying the botnets to try to come up with solutions to help prevent it from happening again or something of the sort.

GreatMarkO said,
Unless they are remotely cleaning/informing users of infection.... why would they want to keep these servers running?! ...why not just shut them down?!

They are the DNS servers because the malware changes the OS so it only uses certain DNS servers, the FBI wanted to take them down which would affect a LOT of people and they wouldn't know why, they're trying to inform people about it, that they have it and how to remove it (most people with it will be completely unaware that they have it and a good percentage of them probably won't know what malware even is)

I think it would stop people's computers from being able to surf the net if they do. I think that Zeus virus altered people dns server settings on their computers. Not sure how microsoft will go about fixing this one.

Because infected computers report back, they then inform the ISP and the ISP locks out the customer and inform thm they need to clean their computer.

Shutting them down the clients would still be infected, help spread it, and could be controlled by a new control server.

2 years? Seems like they're wasting time on this going down the long road of informing ISP's who then send out a letter via post to infected users and then there is a case of if the message will filter down to the actual end user.

Microsoft should hack the DNS of the infected machines and point all http requests to a notice page with links to a removal tool and advice on how to prevent infection in future.

MS is taking control of botnets now.. Any chance the one-way receive-only diode is installed? I doubt it too. 2 years is a while to legally illegally control computers,especailly since they have had control for nearly a year now!
I applaud them for their previous effort in shutting down the botnets, but it seems they are becoming less efficient as they repeat the process. Maybe I am ignorant to how DNS works...

srbeen said,
MS is taking control of botnets now.. Any chance the one-way receive-only diode is installed? I doubt it too. 2 years is a while to legally illegally control computers,especailly since they have had control for nearly a year now!
I applaud them for their previous effort in shutting down the botnets, but it seems they are becoming less efficient as they repeat the process. Maybe I am ignorant to how DNS works...

MS has the server capacity to take down anyone at any time, they do not need these botnets to either gather massive amounts of information or to bring down services.

And no DNS for many, many users will mean they cannot access the internet

Shadowzz said,

MS has the server capacity to take down anyone at any time, they do not need these botnets to either gather massive amounts of information or to bring down services.

And no DNS for many, many users will mean they cannot access the internet

taking away DNS don't kill the internet.. It kills name resolution, so an example is torrents still work - but IE don't. Im just saying why will it take 2 MORE years to take down a botnet, when they have previously done other ones seemingly faster.

Could they not just pass their findings onto all the AV companies so it could be included as part of a special search? Or could MS not create a tool on Windows Update to scan, and then inform you of its findings, in an easy to understand manner that allowed customers to contact their ISP, and get their settings sorted out before the clean up was then run?

Why don't they just inspect the source code ?
Its bee'ing passed around the net for ages now (password = zeus)
and jeez its a huge project with a lot of source code wow lol
so obviously that means they stopped nothing and more Zeus variants will flow like water lol

Commenting is disabled on this article.