Microsoft serves subpoenas on Google to disrupt criminal botnet
Summary: New details have emerged in a massive lawsuit by Microsoft and the banking industry to take down a global botnet based on the Zeus Trojan. Ironically, the leak occurred when Google exercised its privacy policy to notify the suspects.
Online criminals who live outside the borders of the United States might think of themselves as being immune from American legal processes.
Generally, that’s true. It’s hard to serve a U.S. subpoena or search warrant in the Ukraine or Romania.
Ah, but things get complicated when those criminals use online services or hosting companies that are within the reach of American legal authorities.
This week, some previously secret details about a large and potentially significant crime-busting operation led by Microsoft emerged. Independent security expert Brian Krebs has details in a thorough post that lays out the entire story methodically.
In March, Microsoft and its co-plaintiffs the National Automated Clearing House Association (which manages the ACH Network that processes online banking transactions) and FS-ISAC Inc. (Financial Services – Information Sharing and Analysis Center, the nonprofit security arm funded by the banking industry) filed a civil lawsuit aimed at disrupting the operation of a large criminal gang.
Ironically, the previously secret details emerged when Google invoked its privacy policy to notify the suspects that it had received subpoenas demanding details about their Gmail accounts.
The lawsuit, which included notices in three Eastern European languages, initially listed 39 “John Does” who were charged with running a botnet that used the Zeus Trojan to take over Windows PCs and steal funds from online banking accounts.
The first step was shutting down the network the criminals were using:
As a part of the operation, on March 23, Microsoft and its co-plaintiffs, escorted by the U.S. Marshals, seized command and control servers in two hosting locations, Scranton, Pa., and Lombard, Ill., to seize and preserve valuable data and virtual evidence from the botnets for the case. Microsoft and its partners took down two Internet Protocol addresses behind the Zeus command and control structure, and Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.
This isn’t the first time Microsoft has used the U.S. legal system to shut down a global network. A previous case in 2010 resulted in multiple arrests and also shut down servers used in a different Zeus botnet.
The legal documents are available at zeuslegalnotice.com. Many of its details had been sealed, but some emerged today after Google began alerting the owners of Gmail addresses that their account information had been demanded in a subpoena. Krebs reports:
Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint … But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.
According to Krebs, the notification letters included this text:
Google has received a subpoena for information related to your Google account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v. John Does 1-39 et al., US District Court, Northern District of California, 1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).
To comply with the law, unless you provide us with a copy of a motion to quash the subpoena (or other formal objection filed in court) via email at google-legal-support@google.com by 5pm Pacific Time on May 22, 2012, Google may provide responsive documents on this date.
Another 15 addresses named in the lawsuit are at the hotmail.com or msn.com domains owned by Microsoft.
The aggressive approach taken by the plaintiffs in these lawsuits has rankled some sources in the security community, but this is good news for those who might otherwise have fallen victim to the criminal actions.
David Dittrich, chief legal officer for the Honeynet Project, an independent security group, argued that civil suits are one of the best ways to convince ISPs and hosting companies to do the right thing:
Going to court filing a civil action is more effective than any other means in getting third parties who may otherwise be reluctant to cooperate in removing DNS entries or imaging hard drives on a server used as instrument of crime to do so. It is one thing to deny a request from someone who says they are a victim of crime, or who is acting on behalf of victims of crime, but saying "no" to an order from a federal court means you risk having to appear in that court to defend your refusal.
And Krebs also talked to Jon Praed of the Internet Law Group, who pointedly said: “Microsoft is spending a tremendous amount of money trying to stop this activity, and I don’t know anyone else out there who is even trying to do this.”
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Microsoft serves subpoenas on Google to disrupt criminal botnet
Why would Google want to help?
Cognitive dissonance
Is there a better major corporate Netizen than MS today?
It was a long process......
You're kidding, right?
As far as being a good Netizen, their recent security efforts have been too little, too late, and could be seen mostly if not exclusively as a marketing gimmick to improve their image. And even in this case, if you click on the link to the Brian Krebs write-up above and then scroll down a little bit, you will find this little gem:
"Critics of the Microsoft effort say certain clues prove that the company borrowed and published raw intelligence without fully understanding the data's true value and origins. Andy Fried, a former law enforcement official and owner of the Alexandria, Va. based security consultancy Deteque, was a co-founder of the little-known ZeuS Working Group, an ad hoc and extremely secretive collection of law enforcement officials and private security professionals dedicated to tracking ZeuS activity with the aim of bringing those responsible to justice.
"'A basic tenet of this trust group is that everyone feels free to share data, but the rule is you never release that data outside of the trust group without express permission of whoever provided the data, 'Fried said. 'But there was no way that the data Microsoft published was received independently. Much of it was cut-and-pasted verbatim, and some of the data included in the search warrant was horrifically out of date.'"
JustCallmeBC
AT&T was the largest monopoly in the IT/data comm spectrum Ever...no question, they owned everyone's arse down to the wire into their home.
Linux is totally based on lots of *nix code floating around, so by association, Torvalds is the supporter of the largest monopolist ever.
There was no choice with AT&T, with MS, there was Apple, right? There were SUN workstations, right? IBM PCs, right? You tell me how a young MSFT kept Apple, SCO, AT&T, SUN and IBM down. What a farce. You are just like SUN, once MSFT's genius brought PCs to everyone in a mainstream way and catapolted the web way ahead of it's natural growth on it's old *nix systems. Nobody...Nobody else could do it. Apple proved they couldn't do it with a MAC @ 3000.00 in the 90s. SUN couldn't produce a retail desktop OS....or they would have, right? That is why they tried to jump on MSFT's back with Java in a desperate attempt to get a piece of the pie they were not savvy enough to see and act on. All this BS about what MS did but you first have to get past why the entire remainder of the IT community could not even bring a competitor to the table. How pathetic.
And in case you've not thought about it, Apple and Google only became successful from riding on the back of MSFT. iPod/iPad would have never taken off at all w/o one main ingredient. "iTunes for Windows"! Without that, it's another Apple Newton in history, period.
Google search and it's ad revenue comes 95% from Windows users.
Thanks MSFT, not only did it help create a vast high paying ecosystem around the world, but it's allowed competitors to launch from it's non locked down environment. Unlike Apple who control who can write code for their platform.
(MSFT created Applesoft basic for the Apple IIs so they had a programming environment on board. Yes they didn't mind licensing from those who know how to write software. Visual Studio a shining example of the best dev software ever from it's first edition to current. MS Office for Mac literally saved it in teh mid 90s , the only thing keeping many companies that used Macs from jumping ship. If they were evil, they'd have said, nah, we're discontinuing Office for Mac. It was a loss for MSFT at that time, it was not a revenue stream by any means, yet they continued creating it for Apple.
Netscape? You mean when Netscape created their mascot called Mozilla which stood for "Mo-saic Killa" Mosaic Killer. So Netscape is crowing about burying Mosaic with thier wonderful browser and you are not going to stand up for Mosaic? No, it's poor old Netscape. :( And the Facts are, Netscape saw what was coming and didn't even try to support HTML 4 and tried to make a new product from their browser before IE was included. There were millions of us that woudl have continued using Netscape, but guess what? We couldn't. I was a dedicated Netscape user but they took it away just assuming disaster.
MS may have paid Netscape money but businesses do that routinely if it costs less than going to court, so it's clearly not an admission of guilt. Companies of all stripes do it routinely.
As for MSFT doing something to counter competition....really? You mean a For-Profit company actually did that?? you have to be kidding, next thing you know you'll be saying Apple only created a cloud offering to counter Google and MSFT. How silly that would be..
What is it you love so much about hating MSFT. Is it Bill Gates looks? Apple and Google have show to be so devious at this point they make MSFT business moves look like they were actually valid.
hes a sheep
So the continued growth, and MSFT market upward movement is an illusion?
Can you share your obvious wisdom and insight by way of data that backs up what you said.
Google is
That's just silly
Do no evil...
Not their policy now either
Perhaps it create some internal problems with their funnelling billions under the guise of expensive licence fees offshore to a tax haven.
Ed Bott, you're a security expert
Finally, what are your recommendations for using the Windows platform to conduct online banking?
Nothing special about Zeus as far as the user is concerned
http://www.zdnet.com/blog/bott/stay-safe-online-5-secrets-every-pc-and-mac-owner-should-know/3542
Brian Krebs has done a great deal of work on this botnet in particular. recent post on the evolution of cross-platform malware included links to his articles with very specific advice. See the end of this post, which specifically mentions the Zeus botnet:
http://www.zdnet.com/blog/bott/the-slow-and-steady-evolution-of-cross-platform-malware/4930
Ed: 1 Rabid: 0
RE: Nothing special about Zeus as far as the user is concerned
o avoid Microsoft Windows (especially with commercial banking accounts)
o use a Linux Live CD on a Windows PC
o use Mac OS X*
o if one uses Microsoft Windows to bank online, use a PC that is dedicated to online banking use (especially with commercial banking accounts)
Many other security pros strongly recommend that consumers use a Linux Live CD in lieu of Windows for their online banking.
* It will be interesting to see if KrebsOnSecurity revisits its recommendation for OS X. However, banking trojans like those found on Windows (e.g., Zeus, Carberp, SpyEye) have not [u]yet[/u] surfaced on OS X.
You've written how many articles on MacDefender and Flashback?
[i]See the end of this post, which specifically mentions the Zeus botnet[/i]: "the slow and steady evolution of cross platform malware"
And you point me to a blerb on one of your recent articles? And Zeus isn't even an example of cross-platform malware. Sorry, but Windows malware deserves better than a blerb. It deserves headlines just as MacDefender and Flashback deserve headlines.
Number 1 should be using Linux.
Botnets: Zeus, Conficker, TDL-4, Akbot, Bobax, DonBot, Grum, Lethic, Mariposa, Nucrypt, Rustock, Storm, Wopia, Asprox, BredoLab, Cutwall, Festi, Gumblar, Maazben, Mega-D, Onewordsub, Spamthru, Stuxnet, Waledac, Xarvester, Bagle, Gheg, Kraken, Srizbi, and Torpig [b] -- DO NOT AFFECT LINUX. --[/b]
What OS is susceptible ?
Microsoft begot the botnet in the first place, Microsoft wants to kill it now. What a bad parent!
Good Job