• United States



Executive Editor

Microsoft downs Zeus botnet but can’t ID who is behind it

Mar 27, 20123 mins
BotnetsCybercrimeData and Information Security

Microsoft won court permission to seize servers Friday that took down a deployment of the Zeus botnet, and it even detailed the corporate structure that enabled using the zombie network to steal cash from victims.

The downside is it can’t name any of the perpetrators.

BACKGROUND: Microsoft leads seizure of Zeus-related cybercrime serversA

MORE ATTACKS: 10 Scariest hacks from Black Hat and DefconA

According to court papers, Microsoft can identify 39 individuals by their roles in the criminal enterprise, by online aliases and in some cases email addresses where they can be reached, but none of them by their real names and addresses.

The names run the gamut – Jonni, D Frank, MaDaGaSkA, Lucky, NoName, bx1, Admin 2010, Veggi Roma – as do the email addresses, many of them Yahoo and Hotmail accounts. And the roles of the defendants are precisely described, but bringing them to justice, at the moment, is still a way off. All of the 39 accused appear as John Doe with an associated number from one to 39.

The group ran botnets from 59 domain names, the legal papers claim. Permission to seize servers involved with the botnets was granted without hearing from the accused on the basis that if they knew they were found out, they would hide the evidence.

The group is being sued under the Racketeer Influenced Corrupt Organizations (RICO) Act because the criminal operation’s activities included things such as interstate and international racketeering. In fact the court papers refer to the accused parties as the Zeus Racketeering Enterprise.

They are accused of fraudulently representing themselves as bank customers and stealing their victims’ funds. They harvested passwords and bank account numbers via infected machines and cashed in, using money mules to move the funds to other countries, the court papers say, committing wire fraud and bank fraud in the process.

John Doe 1 is the creator of Zeus, which along with Ice-IX and SpyEye are the three pieces of code that make up the Zeus Botnet, according to the complaint Microsoft and others filed in federal court.

John Doe 2 wrote Ice-IX and John Doe 3 wrote SpyEye, the complaint says, and all three worked together with the other John Does to deploy Zeus botnets, the complaint says.

John Doe 4 (Aqua), John Doe 13 (Mask) and John Doe 14 (Enx) recruited money mules to collect and transfer funds stolen from victims.

John Doe 15 (Benny) specialized in recruiting young people headed to the U.S. or already there on J1 student visas to be mules, and he advertised a cash-out service. John Does 22 (Jonni), 23 (jtk) and 24 (Veggi Roma) recruited mules in the U.K.

John Doe 5 (Miami) developed code that injects Web forms into Zeus code for unwitting victims to fill in with their legitimate usernames and passwords for banking accounts, as does John Doe 9 (Kusunagi).

John Doe 6 (petr0vich) acts as the primary network administrator for the rest of the John Does described in the legal document. John Doe 7 (Mr ICQ) handles compromised victim information as it comes in and has ties to underground services for currency exchange with the help of John Doe 8 (Tank).

Lucky, referred to as John Doe 11 in the filing, initiates wire transfers of stolen funds. John Does 16 and 17 both bought copies of Zeus to deploy.

John Doe 31 (susanneon), 38 (jheto2002) and 39 (sector.exploits) all created code that would inject Zeus/SpyEye into victim systems.

The complaint lists 13 John Does believed to have used Zeus code directly to create botnets.

Read more about wide area network in Network World’s Wide Area Network section.