Microsoft serves subpoenas on Google to disrupt criminal botnet

New details have emerged in a massive lawsuit by Microsoft and the banking industry to take down a global botnet based on the Zeus Trojan. Ironically, the leak occurred when Google exercised its privacy policy to notify the suspects.
Written by Ed Bott, Senior Contributing Editor

Online criminals who live outside the borders of the United States might think of themselves as being immune from American legal processes.

Generally, that’s true. It’s hard to serve a U.S. subpoena or search warrant in the Ukraine or Romania.

Ah, but things get complicated when those criminals use online services or hosting companies that are within the reach of American legal authorities.

This week, some previously secret details about a large and potentially significant crime-busting operation led by Microsoft emerged. Independent security expert Brian Krebs has details in a thorough post that lays out the entire story methodically.

In March, Microsoft and its co-plaintiffs the National Automated Clearing House Association (which manages the ACH Network that processes online banking transactions) and FS-ISAC Inc. (Financial Services – Information Sharing and Analysis Center, the nonprofit security arm funded by the banking industry) filed a civil lawsuit aimed at disrupting the operation of a large criminal gang.

Ironically, the previously secret details emerged when Google invoked its privacy policy to notify the suspects that it had received subpoenas demanding details about their Gmail accounts.

The lawsuit, which included notices in three Eastern European languages, initially listed 39 “John Does” who were charged with running a botnet that used the Zeus Trojan to take over Windows PCs and steal funds from online banking accounts.

The first step was shutting down the network the criminals were using:

As a part of the operation, on March 23, Microsoft and its co-plaintiffs, escorted by the U.S. Marshals, seized command and control servers in two hosting locations, Scranton, Pa., and Lombard, Ill., to seize and preserve valuable data and virtual evidence from the botnets for the case. Microsoft and its partners took down two Internet Protocol addresses behind the Zeus command and control structure, and Microsoft is currently monitoring 800 domains secured in the operation, which are helping identify thousands of computers infected by Zeus.

This isn’t the first time Microsoft has used the U.S. legal system to shut down a global network. A previous case in 2010 resulted in multiple arrests and also shut down servers used in a different Zeus botnet.

The legal documents are available at zeuslegalnotice.com. Many of its details had been sealed, but some emerged today after Google began alerting the owners of Gmail addresses that their account information had been demanded in a subpoena. Krebs reports:

Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint … But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to Krebs, the notification letters included this text:

Google has received a subpoena for information related to your Google account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v. John Does 1-39 et al., US District Court, Northern District of California, 1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion to quash the subpoena (or other formal objection filed in court) via email at google-legal-support@google.com by 5pm Pacific Time on May 22, 2012, Google may provide responsive documents on this date.

Another 15 addresses named in the lawsuit are at the hotmail.com or msn.com domains owned by Microsoft.

The aggressive approach taken by the plaintiffs in these lawsuits has rankled some sources in the security community, but this is good news for those who might otherwise have fallen victim to the criminal actions.

David Dittrich, chief legal officer for the Honeynet Project, an independent security group, argued that civil suits are one of the best ways to convince ISPs and hosting companies to do the right thing:

Going to court filing a civil action is more effective than any other means in getting third parties who may otherwise be reluctant to cooperate in removing DNS entries or imaging hard drives on a server used as instrument of crime to do so. It is one thing to deny a request from someone who says they are a victim of crime, or who is acting on behalf of victims of crime, but saying "no" to an order from a federal court means you risk having to appear in that court to defend your refusal.

And Krebs also talked to Jon Praed of the Internet Law Group, who pointedly said: “Microsoft is spending a tremendous amount of money trying to stop this activity, and I don’t know anyone else out there who is even trying to do this.”

Editorial standards