In a court submission that runs to 162 pages, Microsoft and the Information Sharing and Analysis Center (FS-ISAC), a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, are pursuing the criminals they believe to be behind the ZeuS, SpyEye and Ice IX botnets
The codebase behind ZeuS, Ice-IX and SpyEye has a long and infamous history in internet crime, ZeuS has been around since 2006 (2007 is specified in the court submission) and is responsible for hundreds of individual botnets stealing millions of pounds from consumer and business bank accounts. SpyEye was originally set up as a competitor to ZeuS and even went as far as to remove ZeuS if it found it on a computer that SpyEye was trying to infect. More recently the two code bases have been merged into a single piece of crimeware.
The court submission from Microsoft, while it openly states that the identities of the “John Does” are currently unknown, does go a long way towards exposing the huge infrastructure behind crimeware of this nature. It specifies, three individuals identified as the original ZeuS, SpyEye and Ice-IX coders and two further code developers, two PDF and Flash exploit vendors responsible for creating malicious files that drop the bot onto your PC, three web-inject vendors who create the scripts that inject fake content into legitimate banking web sites, four individual botnet hosters and fifteen individual botnet operators, seven money mule recruiters, three specialists in cashing out stolen funds and one individual responsible for handling “incoming notifications of newly compromised victims”.
The court submission identifies malicious network infrastructure that spans the globe, from North America through the UK and Germany via Iran, Hong Kong and even Laos all the way to Australia. A total of 3357 domain names across 35 registrars have been identified as being related to what they are collectively calling “the ZeuS botnets”, with 1703 of those domains registered with Verisign. In raids on two hosting locations on March 23rd servers were seized leading to disruption of botnets and criminal activities. However, as Microsoft notes, this enforcement action only closed down two IP addresses and secured 800 monitored domains (from 3357), so the immediate effect can be expected to be minimal.
Of course, cybercrime is bigger than just 39 people and currently no specific individuals have been identified, but if nothing else, this indictment serves as a graphic illustration of the maturity of the criminal business model. Criminals such as Slavik and gribodemon have successfully evaded justice for many years, but let’s hope that this continued focus and international cooperation across the security and law enforcement communities can eventually make a significant dent in their illegal operations.
The ZeuS Tracker project, which lists Command & Control servers around the world is today listing 806 ZeuS and Ice IX servers, 343 of which are currently online and active. SpyEye Tracker lists 487 servers globally, of which 16 are currently active.