Microsoft has named two of the 39 defendants it is suing for their alleged role in operating the Zeus botnet.
According to an amended civil complaint filed last week in US District Court in Brooklyn, Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as defendants. The other defendants remain listed as "John Does."
The identification of the pair shouldn't come as a surprise considering Ukrainians Kulibaba and Konovalenko were among 19 people charged in London in 2010 with being members of the Zeus gang.
The duo, who were ringleaders, currently are serving prison time in the UK.
Richard Boscovich, a senior attorney with the Microsoft Digital Crimes Unit, said in a Monday blog post that he hopes the software giant's latest information will provide additional firepower for the FBI.
"Our hope is that the evidence we provided to the FBI in this case will lead to a criminal investigation that brings the perpetrators to justice," he wrote.
Microsoft announced in March that, as part of a coordinated effort with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association, it has dismantled prominent hubs that provided instructions to machines infected with Zeus and related malware families, including SpyEye.
US Marshals led the raid on hosting locations in two US locations, where they confiscated command-and-control (C&C) servers and took down two key IP addresses in the process.
In addition, as a result of the seizure, Microsoft assumed control of some 800 domains involved with the servers, a process known as sinkholing.
Codenamed "Operation b71," the bust relied on obtaining warrants through the aforementioned lawsuit, which was filed against those who are believed responsible for running the Zeus C&C servers.
In the suit, Microsoft applied the Racketeer Influenced and Corrupt Organisations (RICO) Act, a federal law that extends penalties for those involved in organised crime.
"By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the 'organisation' were not necessarily part of the core enterprise," Boscovich wrote in a separate blog post at the time.
He said Zeus' C&C infrastructure remains offline, and this appears to be having a major effect. Zeus infection rates, by IP address, have dropped from about 780,000 at the end of March to roughly 336,000 as of June 23, though new variants of the data-stealing trojan continue to persist.
In addition, fewer zombie computers means there has been a precipitous drop in phishing emails. Boscovich referenced Microsoft's co-plaintiff, NACHA - The Electronic Payments Association, which has reported a 90 percent reduction in people receiving fraudulent emails that claim to come from it.
NACHA manages the Automated Clearing House (ACH) money transfer network, which commonly has been used by hackers in banking heists.
"As Microsoft and our partners explained in March, Operation b71 is just one step in an ongoing campaign to undermine the Zeus cybercriminal organisation and help identify those responsible for this dangerous threat," Boscovich wrote.
Security experts have long considered Zeus to be a criminal enterprise, and Microsoft said it has detected 13 million infections worldwide, with more than three million just in the United States.
In addition, opportunistic criminals should have no problems finding exploit toolkits that can be used to fire off the Zeus trojan, especially after its source code was leaked last year. The kits sell for anywhere between $US700 to $US15,000 on the black market.
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition
Issue: 331 | September 2014
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.