What's Operation b71? Understand how Microsoft is fighting back against cybercrime to protect their customers.

  • Article

H3ll0,

What's Operation b71?

Have you heard about ZEUS malware? What about BotNets? You can understand how Microsoft joined forces to takedown ZEUS malware and related BotNets.

Background

Botnets, or armies of malware-infected computers, are the tool of choice for cybercriminals to conduct a variety of online attacks, limited only by the imagination of the bot-herder.

 Bot-herders infect people’s computers so discreetly that owners often never suspect their PC is living a double life. It’s like a gang setting up a drug den in someone’s home while they’re on vacation and coming back to do so every time the owner leaves the house, without the owner ever knowing anything is happening.

 In recent years, cybercrime has evolved in ways that make it comparable to organized crime – a network of bad actors – forming an infrastructure that enables a wide variety of criminal activity.

Supporting Statistics:

  • According to the security firm AVG, websites infected with malware are still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner.
  • According to a 2011 Norton Cybercrime Report, the global cost of cybercrime totals $338 billion. That number is greater than the combined effort on the global economy of trafficking marijuana, heroin and cocaine, which is estimated at $288 billion.

Microsoft is unique in that it has a Digital Crimes Unit, whose mission is to transform the fight against digital crime with partnerships and legal and technical breakthroughs that destroy the way cybercriminals operate.  To date, our collaborative technical and legal approach to disrupt botnets has produced key victories, including the previous takedowns of the Waledac, Rustock and Kelihos botnets and global partnerships to rescue malware infected computer owners from the grip of these botnets, and the cyber-criminals behind their operation. While no single action or takedown will put an end to malware or cybercrime, through continued cooperation, creativity and vigilance we can help prevent and disrupt it.

 Operation b71

Building on the successes of its previous takedowns, Microsoft – in collaboration with financial services industry leaders and Kyrus Tech Inc. – have executed a coordinated global disruption of some of the worst known cybercrime operations fueling online fraud and identity theft today.  With this legal and technical action, some of the most harmful botnets using the Zeus family of malware worldwide have been disrupted in an unprecedented, proactive cross-industry operation against this cybercriminal organization. Specifically, these botnets are using three to four variants of the Zeus malware, a password-stealing Trojan known to use keylogging and other mechanisms to monitor people’s online activity.  The keyloggers record a user’s every keystroke in order to steal personal information, including account usernames and passwords. Criminals use this information to steal victims’ identities, withdraw money from their bank accounts, make on-line purchases using victim’s personal information and access other private accounts.

 Microsoft researchers have found that the Zeus malware automatically starts keylogging when the user of a Zeus-infected computer types in the name of a financial or ecommerce institution. This allows criminals to steal the user’s bank account and password. Zeus is sold in the criminal underground as a crimeware kit that enables criminals to set up their own command and control servers for their own botnet. It sells for anywhere between $700 to $15,000, depending on the version and features of the kit.

 Unlike Microsoft’s previous botnet takedowns, this operation – known as Operation b71 –involves the simultaneous disruption of not one, but multiple botnets built by cybercriminals using variants of Zeus malware. For this operation, Microsoft partnered with financial services industry leaders, including the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association. The banking & finance partners helped narrow the focus from the hundreds of botnets known to use Zeus, to concentrate on those known to cause the most public harm.  Microsoft focused on botnets using the Zeus, SpyEye and Ice-IX variants of Zeus malware.  Experts believe these botnets are responsible for nearly half a billion dollars in damages.

 Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets.  Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long term damage to the cybercriminal organization that relies on these botnets for illicit gain and to gather intelligence to help identify those responsible and further protect victims. We expect this operation to deal a blow to the overall criminal infrastructure that relies on these botnets to thrive.  Cybercriminals are in it for the money, and our goal is to continue to hammer away at the profitability of their enterprise to drive them out of the business.

 An infrastructure of this magnitude functions as a form of organized crime; numerous people, with various roles, levels of involvement and expertise, perform a variety of illegal activities all within an interconnected web. At the heart of the wide ranging network of botherders, designers and purveyors, is the creator or creators of the build kit who designed the code that serves as the foundation of the Zeus botnets. While not every player in this network may be aware of or working directly with all of the other players, taken together, all of these actors form a massive and profitable criminal enterprise based on cybercrime.  It is this knowledge that formed the unique legal approach taken in this operation – including the use of civil RICO action (see below) to take simultaneous action across all elements and drivers of the targeted botnets in our operation.

Supporting Zeus Data Points

  • The Zeus malware threat is considered by many to be one of the worst on the internet, largely due to the difficulty in detecting and removing it.
  • Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone.
  • Approximately 2,411 companies and organizations worldwide have suffered from instances of financial loss, identity theft or had their computers compromised by the criminal operations running the Zeus botnets.
  • Botnets running Zeus malware have been victimizing people since 2007, causing millions in damages.

 Legal Strategy

Because Zeus relies on a criminal network to exploit users, Microsoft and our partners have once again applied a well-established law known as the Racketeer Influenced and Corrupt Organizations (RICO) Act to disrupt what are known to be the most destructive botnets running Zeus malware. As previously requested in the Rustock takedown, Microsoft asked the court for permission to sever the command and control structures of the most destructive botnets running the Zeus code in order to significantly impact the cybercriminals’ operations and infrastructure, advance global efforts to help victims regain control of their infected computers, and also help further investigations against those responsible for the threat.

 By incorporating the use of the RICO Act to disrupt these botnets, Microsoft will be able to pursue civil cases against everyone associated with the botnets’ operation, notwithstanding the fact that those involved in the “organization” are not necessarily part of a legal entity per say, but rather, are comprised of a loose union or group of individuals associated only in fact.  This civil suit alleges, among other causes of action, that the botnet operators and kit-sellers have been violating a federal law commonly referred to “access device fraud,” a legal term for the fraudulent use of any account number, personal identification number or other means of account access. Moreover, Microsoft also argues that the Zeus code acts as a device or apparatus to commit fraud because a computer needs to be infected with Zeus malware in order to intercept and thereby steal a person’s personal identification or other means of account access. 

 Working with Industry

Because the bot-herders used Zeus to steal victims’ banking credentials and transfer stolen funds, the Financial Services – Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association are joining Microsoft as plaintiffs in this case.  In addition, Kyrus Tech served as a declarant. 

  • FS- Financial Services – Information Sharing and Analysis Center (FS-ISAC)
    • FS-ISAC was formed in 1999 and is a nonprofit corporation comprised of 4300 financial institutions.  Its mission is to share information and analysis of threats, vulnerabilities and incidents with its members, with the government and with other sectors.  FS-ISAC’s membership collaborates to develop security best practices that protect financial institutions and their customers. As a plaintiff, FS-ISAC is proactively addressing an issue that threatens its members and services. Zeus steals its customers’ financial information and uses that data to steal millions of dollars. Additionally, research shows that victims of financial fraud are also more likely to be victims of identity theft, making them vulnerable to further threats. Reducing the incidence of computer malware is a key piece of secure banking and people can help make their online banking more secure by taking an active role in protecting their computers from malicious software.
  • NACHA – The Electronic Payments Association
    • As a plaintiff, NACHA is proactively addressing an issue that threatens its members and their services. NACHA’s purpose is to manage the development, administration and governance of the Automated Clearing House (ACH) Network, which is the backbone for the safe and secure electronic movement of money and data.  NACHA also represents more than 10,000 financial institutions via 17 regional payments associations and direct membership.  Because Zeus allows botherders to intercept online banking credentials and initiate money transfers, NACHA believes it has a responsibility to help its members protect their customers from Zeus. Zeus malware is also capable of Account Hijacking, or Corporate Account Takeover, where criminals steal business’ online credentials and initiate fraudulent banking activity. Additionally, those behind Zeus are leveraging NACHA’s trademarks to fool recipients in fraudulent e-mails and thereby infect their computers.
  • Kyrus Tech Inc.
    • Kyrus Tech Inc., which served as a declarant in Microsoft’s case against the Kelihos botnet, also served as a declarant in this case, citing the dangers of Zeus malware and the effect of the malware on its customers.

 The operation was also supported by other organizations, such as F-Secure.

 Industry Impact

The disruption action, codenamed Operation b71, is Microsoft’s fourth botnet operation as part of its Project MARS initiative – a joint effort between DCU, Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team. This highly successful effort has evolved with each of Microsoft’s operations. Microsoft takes the information it learns from each case to build robust botnet intelligence that can be used to help organizations worldwide better protect people and undo the damage botnets cause. Today, Microsoft provides this intelligence to ISPs and CERTs around the world to help notify and clean victims’ computers. Microsoft also continues to explore other innovative uses for this intelligence in our quest to disrupt the infrastructure of infected computers exploited by cybercriminals.

 Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or even more nefarious purposes. However, the good guys are making progress and this latest legal victory will be yet another blow to the botherders’ business.  Additionally, Microsoft, as ever, remains committed to following botnet cases wherever they lead the company and to holding those responsible accountable for their actions. As you may have seen, Microsoft recently named a new defendant in the legal case on Kelihos and the company continues to move forward with those legal proceedings. Meanwhile, in the Rustock botnet case, after closing its civil case, Microsoft made a criminal referral to the FBI.  With each new botnet operation, Microsoft will continue to keep all of its options open and that does include referring the matter to law enforcement when appropriate.

 Although this action was not intended to completely destroy all botnets running Zeus malware, it is expected to significantly disrupt the botherders’ operations by increasing the risk and costs for its controllers to continue doing business. This large-scale effort builds on other important work across the security community around the world to combat these and other botnets and is an important step in advancing the fight against the cybercriminals that fuel a wide variety of digital threats worldwide.

Financial Impact

This action marks a significant step forward in the fight against online fraud and is expected to help reduce the amount of online fraud and identity theft affecting consumers and businesses worldwide.  For both Microsoft and the financial services industry leaders, our customers are our number one priority and we pursued this disruptive action together to proactively protect our customers from this dangerous threat. 

 While there’s still more work to be done to address the Zeus threat as a whole, consumers and businesses can be assured that they are safer as a result of this action and members of the financial sector will continue to work to combat similar threats.

 Consumer Call to Action

It’s also important to note that there are steps consumers and businesses need to better protect themselves from becoming victims of malware, fraud and identity theft.   All computer users should exercise safe practices, such as running up to date and legitimate software, firewall protection and anti-virus/anti-malware protection.  People should also exercise caution when surfing the web, clicking on ads or email attachments that may prove to be malicious.

- More information about staying safe online can be found at https://www.microsoft.com/protect.)

- For computer owners worried whether their computers might be infected, Microsoft offers free information and malware cleaning tools at https://support.microsoft.com/botnets that can help people remove Zeus and other malware from their computers.

Regards

Alexandre Marins