Microsoft serves subpoenas on Google to disrupt criminal botnet

Microsoft serves subpoenas on Google to disrupt criminal botnet

Summary: New details have emerged in a massive lawsuit by Microsoft and the banking industry to take down a global botnet based on the Zeus Trojan. Ironically, the leak occurred when Google exercised its privacy policy to notify the suspects.


Online criminals who live outside the borders of the United States might think of themselves as being immune from American legal processes.

Generally, that’s true. It’s hard to serve a U.S. subpoena or search warrant in the Ukraine or Romania.

Ah, but things get complicated when those criminals use online services or hosting companies that are within the reach of American legal authorities.

This week, some previously secret details about a large and potentially significant crime-busting operation led by Microsoft emerged. Independent security expert Brian Krebs has details in a thorough post that lays out the entire story methodically.

In March, Microsoft and its co-plaintiffs the National Automated Clearing House Association (which manages the ACH Network that processes online banking transactions) and FS-ISAC Inc. (Financial Services – Information Sharing and Analysis Center, the nonprofit security arm funded by the banking industry) filed a civil lawsuit aimed at disrupting the operation of a large criminal gang.

Ironically, the previously secret details emerged when Google invoked its privacy policy to notify the suspects that it had received subpoenas demanding details about their Gmail accounts.

The lawsuit, which included notices in three Eastern European languages, initially listed 39 “John Does” who were charged with running a botnet that used the Zeus Trojan to take over Windows PCs and steal funds from online banking accounts.

The first step was shutting down the network the criminals were using:

As a part of the operation, on March 23, Microsoft and its co-plaintiffs, escorted by the U.S. Marshals, seized command and control servers in two hosting locations, Scranton, Pa., and Lombard, Ill., to seize and preserve valuable data and virtual evidence from the botnets for the case. Microsoft and its partners took down two Internet Protocol addresses behind the Zeus command and control structure, and Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.

This isn’t the first time Microsoft has used the U.S. legal system to shut down a global network. A previous case in 2010 resulted in multiple arrests and also shut down servers used in a different Zeus botnet.

The legal documents are available at Many of its details had been sealed, but some emerged today after Google began alerting the owners of Gmail addresses that their account information had been demanded in a subpoena. Krebs reports:

Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint … But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to Krebs, the notification letters included this text:

Google has received a subpoena for information related to your Google account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v. John Does 1-39 et al., US District Court, Northern District of California, 1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion to quash the subpoena (or other formal objection filed in court) via email at by 5pm Pacific Time on May 22, 2012, Google may provide responsive documents on this date.

Another 15 addresses named in the lawsuit are at the or domains owned by Microsoft.

The aggressive approach taken by the plaintiffs in these lawsuits has rankled some sources in the security community, but this is good news for those who might otherwise have fallen victim to the criminal actions.

David Dittrich, chief legal officer for the Honeynet Project, an independent security group, argued that civil suits are one of the best ways to convince ISPs and hosting companies to do the right thing:

Going to court filing a civil action is more effective than any other means in getting third parties who may otherwise be reluctant to cooperate in removing DNS entries or imaging hard drives on a server used as instrument of crime to do so. It is one thing to deny a request from someone who says they are a victim of crime, or who is acting on behalf of victims of crime, but saying "no" to an order from a federal court means you risk having to appear in that court to defend your refusal.

And Krebs also talked to Jon Praed of the Internet Law Group, who pointedly said: “Microsoft is spending a tremendous amount of money trying to stop this activity, and I don’t know anyone else out there who is even trying to do this.”

Topics: Security, Banking, Browser, Collaboration, E-Commerce, Google, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft serves subpoenas on Google to disrupt criminal botnet

    Kudos to Microsoft! Take down all these botnets. I'm glad to see Microsoft is actually doing something about it unlike the others.
    Loverock Davidson-
    • Why would Google want to help?

      Google would lose money.
      William Farrel
    • Cognitive dissonance

      MS is giving me a lot of it lately. For [i]decades[/i] I have been anti MS. And now, compared to the alternatives at least, I repeatedly find myself admiring them.

      Is there a better major corporate Netizen than MS today?
      x I'm tc
      • It was a long process......

        .....but I also eventually made peace with Microsoft after some years.
        Lester Young
      • You're kidding, right?

        Microsoft is still the same old Microsoft -- the only difference now is that for the first time in decades they are facing major competition/threats to their various ill-gotten IT hegemonies, mostly via Google and Apple. It's like with Internet Explorer: Microsoft finally succeeded in undermining Netscape and then later got Bush's DOJ to essentially drop a warehouse of evidence attesting to their bad behavior, and Internet Explorer development stopped even though everyone tech savvy was screaming about what a security nightmare it was. It wasn't until Mozilla, rising out of the ashes of Netscape, slowly but resolutely developed a more advanced browser and starting getting market share that Microsoft finally did something about improving IE. On the flip side, when Linux distros with more user friendly interfaces starting appearing, especially on the early Netbooks: Microsoft pulled out all stops in undermining that, including extending the life of XP, replacing Vista .5 with Vista 1.0 (aka Windows 7), colluding with Intel to cripple Netbooks so they wouldn't eat too much in to more profitable notebooks, and then going after Linux first with IP threats and then with arm-twisting, undisclosed licensing agreements that exploited weaknesses in patent law (although they are hardly alone in that last bit.)

        As far as being a good Netizen, their recent security efforts have been too little, too late, and could be seen mostly if not exclusively as a marketing gimmick to improve their image. And even in this case, if you click on the link to the Brian Krebs write-up above and then scroll down a little bit, you will find this little gem:

        "Critics of the Microsoft effort say certain clues prove that the company borrowed and published raw intelligence without fully understanding the data's true value and origins. Andy Fried, a former law enforcement official and owner of the Alexandria, Va. based security consultancy Deteque, was a co-founder of the little-known ZeuS Working Group, an ad hoc and extremely secretive collection of law enforcement officials and private security professionals dedicated to tracking ZeuS activity with the aim of bringing those responsible to justice.

        "'A basic tenet of this trust group is that everyone feels free to share data, but the rule is you never release that data outside of the trust group without express permission of whoever provided the data, 'Fried said. 'But there was no way that the data Microsoft published was received independently. Much of it was cut-and-pasted verbatim, and some of the data included in the search warrant was horrifically out of date.'"
      • JustCallmeBC

        Please, you are dredging up stuff going on 2 decades ago???
        AT&T was the largest monopoly in the IT/data comm spectrum question, they owned everyone's arse down to the wire into their home.
        Linux is totally based on lots of *nix code floating around, so by association, Torvalds is the supporter of the largest monopolist ever.
        There was no choice with AT&T, with MS, there was Apple, right? There were SUN workstations, right? IBM PCs, right? You tell me how a young MSFT kept Apple, SCO, AT&T, SUN and IBM down. What a farce. You are just like SUN, once MSFT's genius brought PCs to everyone in a mainstream way and catapolted the web way ahead of it's natural growth on it's old *nix systems. Nobody...Nobody else could do it. Apple proved they couldn't do it with a MAC @ 3000.00 in the 90s. SUN couldn't produce a retail desktop OS....or they would have, right? That is why they tried to jump on MSFT's back with Java in a desperate attempt to get a piece of the pie they were not savvy enough to see and act on. All this BS about what MS did but you first have to get past why the entire remainder of the IT community could not even bring a competitor to the table. How pathetic.
        And in case you've not thought about it, Apple and Google only became successful from riding on the back of MSFT. iPod/iPad would have never taken off at all w/o one main ingredient. "iTunes for Windows"! Without that, it's another Apple Newton in history, period.
        Google search and it's ad revenue comes 95% from Windows users.
        Thanks MSFT, not only did it help create a vast high paying ecosystem around the world, but it's allowed competitors to launch from it's non locked down environment. Unlike Apple who control who can write code for their platform.
        (MSFT created Applesoft basic for the Apple IIs so they had a programming environment on board. Yes they didn't mind licensing from those who know how to write software. Visual Studio a shining example of the best dev software ever from it's first edition to current. MS Office for Mac literally saved it in teh mid 90s , the only thing keeping many companies that used Macs from jumping ship. If they were evil, they'd have said, nah, we're discontinuing Office for Mac. It was a loss for MSFT at that time, it was not a revenue stream by any means, yet they continued creating it for Apple.

        Netscape? You mean when Netscape created their mascot called Mozilla which stood for "Mo-saic Killa" Mosaic Killer. So Netscape is crowing about burying Mosaic with thier wonderful browser and you are not going to stand up for Mosaic? No, it's poor old Netscape. :( And the Facts are, Netscape saw what was coming and didn't even try to support HTML 4 and tried to make a new product from their browser before IE was included. There were millions of us that woudl have continued using Netscape, but guess what? We couldn't. I was a dedicated Netscape user but they took it away just assuming disaster.
        MS may have paid Netscape money but businesses do that routinely if it costs less than going to court, so it's clearly not an admission of guilt. Companies of all stripes do it routinely.
        As for MSFT doing something to counter competition....really? You mean a For-Profit company actually did that?? you have to be kidding, next thing you know you'll be saying Apple only created a cloud offering to counter Google and MSFT. How silly that would be..

        What is it you love so much about hating MSFT. Is it Bill Gates looks? Apple and Google have show to be so devious at this point they make MSFT business moves look like they were actually valid.
    • hes a sheep

      We all know microsoft is losing money the founder jumped ship soon the sheeep clients will too
      • So the continued growth, and MSFT market upward movement is an illusion?

        MSFT continues to break their own revenue records year after year, but you have the real info huh? What, some secret society thing where you have proof MSFT is making up their earnings?
        Can you share your obvious wisdom and insight by way of data that backs up what you said.
  • Google is

    the problem. Google's do no harm policy is a load of crap. Google benefits from the botnet, wouldn't surprise me if they get a kickback from the fraud somehow.
    • That's just silly

      I don't know of any person who understands security issues who believes that is even remotely true.
      Ed Bott
    • Do no evil...

      Their policy is do no evil, not do no harm. I suppose there shouldn't be much difference, but regardless, they can be evil and harm consumers all they want... I doubt they're getting any kickbacks.
      • Not their policy now either

        "Do no evil" has been dropped as a motto.

        Perhaps it create some internal problems with their funnelling billions under the guise of expensive licence fees offshore to a tax haven.
  • Ed Bott, you're a security expert

    Tell us more about this Zeus trojan. What platforms are affected? How does one get infected? Are administrative rights required to become infected? Does anti-virus software have a good record protecting against Zeus variants? What does the Zeus trojan do, exactly, once resident on a user's system?

    Finally, what are your recommendations for using the Windows platform to conduct online banking?
    Rabid Howler Monkey
    • Nothing special about Zeus as far as the user is concerned

      My overall advice still applies:

      Brian Krebs has done a great deal of work on this botnet in particular. recent post on the evolution of cross-platform malware included links to his articles with very specific advice. See the end of this post, which specifically mentions the Zeus botnet:
      Ed Bott
      • Ed: 1 Rabid: 0

        I think his attempt to call you out on this one just backfired horribly. Nicely done Ed.
      • RE: Nothing special about Zeus as far as the user is concerned

        Wrt online banking, KrebsOnSecurity (and previous articles at the Washington Post) has recommended the following:

        o avoid Microsoft Windows (especially with commercial banking accounts)
        o use a Linux Live CD on a Windows PC
        o use Mac OS X*
        o if one uses Microsoft Windows to bank online, use a PC that is dedicated to online banking use (especially with commercial banking accounts)

        Many other security pros strongly recommend that consumers use a Linux Live CD in lieu of Windows for their online banking.

        * It will be interesting to see if KrebsOnSecurity revisits its recommendation for OS X. However, banking trojans like those found on Windows (e.g., Zeus, Carberp, SpyEye) have not [u]yet[/u] surfaced on OS X.
        Rabid Howler Monkey
      • You've written how many articles on MacDefender and Flashback?

        Ed Bott wrote:
        [i]See the end of this post, which specifically mentions the Zeus botnet[/i]: "the slow and steady evolution of cross platform malware"

        And you point me to a blerb on one of your recent articles? And Zeus isn't even an example of cross-platform malware. Sorry, but Windows malware deserves better than a blerb. It deserves headlines just as MacDefender and Flashback deserve headlines.
        Rabid Howler Monkey
      • Number 1 should be using Linux.

        Really, suffering from selective amnesia? It never will get mentioned from you, or is it just a Microsoft world? Ever suggest abandoning Windows like a true unbiased security expert would? Your articles only play the Microsoft fiddle which makes one wonder how you influence young readers eager to learn about computers and what a terrific disservice you do to them by your propaganda. Intellectually, ZDnet and your articles are a horrible place to go for objective information. Your expertise lies in creating biased infomercials for Microsoft and burying grotesque and horrific truths about the lack of Windows security. How can you define yourself as a security expert or computer authority and only advocate Windows?

        Botnets: Zeus, Conficker, TDL-4, Akbot, Bobax, DonBot, Grum, Lethic, Mariposa, Nucrypt, Rustock, Storm, Wopia, Asprox, BredoLab, Cutwall, Festi, Gumblar, Maazben, Mega-D, Onewordsub, Spamthru, Stuxnet, Waledac, Xarvester, Bagle, Gheg, Kraken, Srizbi, and Torpig [b] -- DO NOT AFFECT LINUX. --[/b]
    • What OS is susceptible ?

      Well done, Rabid!
      Microsoft begot the botnet in the first place, Microsoft wants to kill it now. What a bad parent!
  • Good Job

    Good job Microsoft, chase those criminal bas***ds until they are cornered !