Last weekend Microsoft kicked down doors and took names of the operators running Zeus botnets.

Last Friday, Microsoft, along with U.S. Marshals and financial organizations, took control of servers running botnets that have allegedly stolen over $100 million USD. Reportedly, this was accomplished using 13 million computers that had the malware named Zeus on them. Three million of those computers are believed to be in the United States.


The raids took place in Scranton, PA and Lombard, IL. Sunday night, Microsoft’s senior attorney in the company’s Digital Crimes Unit said that the servers the company seized were running some of the worst known Zeus botnets.

Those responsible for the operation seem to have installed not only the Zeus malware on victims’ computers, but variations of the malware called Ice-IX and SpyEye. This comes from the lawsuit filed against the botnet creators last week. The botnet displayed fake banking websites when users tried to access legitimate banking websites, copied what the victims typed in for their personal information, and used that information to rob the victims.

Microsoft took control of the Internet traffic that had operated the 3,357 botnets, after the U.S. District Court for the Eastern District of New York legally sanctioned the raids. Specifically, the servers seized were the machines running the network of infected computers. The 39 defendants in the case are known only by screen names.

This raid was a first for Microsoft. Not to say it hasn’t flexed its muscles and seized botnet hardware before, but it was the first time the company’s Digital Crimes Unit accomplished its task with the help of other groups, namely the Information Sharing and Analysis Center (a trade group that represents financial institutions) and NACHA, the Electronic Payments Association, which handles the system responsible for electronic funds transfer.

In the past, Microsoft has shut down the Waledac, Rustock, and Kelihos botnets. The unfortunate difference is that the company’s previous targets could essentially be shut down entirely just by seizing the necessary servers. According to the company statement, the Zeus botnet targets are too complex to simply come in and shut down, so the goal for the raid wasn’t a complete shut down, but it was definitely a step in the right direction.

The creators of the Zeus malware have made their product even more potent by selling it to criminals as a do-it-yourself botnet creation kit. Microsoft reports finding these kits selling for anywhere between $7,000 and $15,000 USD. This was a long time coming for Microsoft. Zeus first hit in 2007, SpyEye came out in 2010, and Ice-IX in 2011.

Aside from being able to prosecute those who were implicated in the raid for robbery and identity theft, Microsoft leveled charges of violating the Computer Fraud and Abuse Act, the CAN-SPAM Act, and the Electronic Communications Privacy Act.

Contrary to what movies and television might have us believe, Microsoft’s operation wasn’t as simple as seeing a problem online then busting down a door. The company’s operation, dubbed b71 took months of tracking, planning, coordinating, and gathering evidence before the Digital Crimes Unit was ready to make the strike. Microsoft found not only the usernames associated with the creators and developers of the malware, but those who also were responsible for injecting the infection into users’ computers and those who carried stolen money to different countries for safe keeping.

Of course, now the real fun of litigation and hoop-jumping comes in before too much more progress is made against those who have been running these botnets, but Microsoft has taken a huge first step with this first lawsuit. If you’re interested in reading more about justice and the Internet, check out our blog post about President Obama writing a consumer privacy bill of rights.