Monday, March 26, 2012

MicrosoftDCU, FS-ISAC, and NACHA vs. Zeus

On March 24, 2012, Microsoft unveiled a joint lawsuit with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association (NACHA). Based on a Temporary Restraining Order filed as part of the Law Suit, Microsoft and their agent, Stroz Friedberg, accompanied by U.S. Marshals, served their TRO at the BurstNET facility in Scranton, Pennsylvania, and at Continuum Data Centers in Chicago, Illinois. Servers named in the TRO were allowed to be monitored to capture four hours of network traffic before taking the servers into possession where they will be held in Escrow by Stroz Friedberg.

In addition, more than 1700 domain names were redirected to the Microsoft IP address While at first, I thought it would be a useful service to our readership to list the 1700+ domain names, I believe (and will hopefully have confirmation from Microsoft shortly) that it would be sufficient for network administrators to look for traffic destined to this new "rerouted" address. If you have a computer on your network sending traffic to, my current understanding is that this computer is likely attempting to send traffic to one of the domains that are subject to this TRO, and that this is an indication that computer may be infected with Zeus, ICE-IX, or SpyEye. Appropriate security measures will vary based on the role and use of that computer within your organization, but password changes of any accounts accessed from that computer, and malware removal would be minimum steps.

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS

All of the supporting legal documents can be found on the Microsoft-registered server:

The Temporary Restraining Order seizes 1,703 domain names! Each domain name is listed with the role that it played in the overall scheme to infect computers and steal data from their users. For example: - dropzone - source - embedded_js - dropzone, source, infector - updater

A "source" would be a domain that was advertised in an email. An "embedded_js" would be a site to which the source redirected to load hostile java script. A "dropzone" would receive credentials from an infected computer. An "updater" would push additional or new commands, configurations, or malicious code to the already compromised computers.


In a 179 page Declaration, Mark Debenham, a Senior Manager of Investigations in the Microsoft Digital Crimes Unit, lays out the overall structure of the Zeus gang and the way in which Zeus infects users and steals money. He describes the three-fold purpose of Zeus as to infect end-user computers in order to:

(1) steal credentials for online accounts, such as account login information for Microsoft or other websites, or financial and banking credentials, from the owners or users of those computers.

(2) access the victims' online accounts with the stolen credentials, and

(3) transfer information or funds from the victims' accounts to accounts or computer controlled by the Defendants.

Debenham goes on to say that three inter-related malware families are the subject of this lawsuit -- Zeus, Ice-IX, and SpyEye, and that all were created and sold by the individuals using the handles:

Slavik, Monstr, Harderman, Gribodemon, and nvidiag

John Doe 1 is identified as the Zeus botnet code creator, who uses the handles Slavik, Monstr, IOO, and Nu11.

John Doe 2 is identified as the creator of Ice-IX, who uses the handles nvidiag, zebra7753, lexa_mef, gss, and iceIX. ICQ 610875708.

John Doe 3 is identified as the creator of SpyEye, who uses the handles Harderman and Gribodemon.,,,,

John Doe 4 is identifed as an operator within the "JabberZeus Crew" who recruits money mules and uses them to cah out stolen credentials. He uses the handles Aqua, aquaSecond, it, percent, cp01, hct, xman, and Pepsi., ICQ 637760688.



In a separate 163 page declaration, Pamela Moore, the Senior Vice President and Chief Financial Officer of NACHA documents the particular harm caused to NACHA, showing that in same cases the volume of documented spam messages imitating NACHA rose as high as 167 million emails in a single 24 hour period.

Readers of this blog will be well-familiar with the NACHA scams that lead to Zeus, as we have been documenting them as far back as November 12, 2009 when we wrote the article Newest Zeus = NACHA: The Electronic Payments Association.

According to Moore's affidavit, just in the month of November 2011, NACHA was responsible for terminating 555 websites that were distributing malicious content linked from an email message imitating NACHA. As a small business with less than 100 employees, NACHA has been hit with $624,000 in costs responding to the emails that falsely claimed to be from her organization.

Moore's declaration contains her 15 page statement followed by page after page of documented evidence supporting that false and misleading emails were sent out related to these Zeus actors.

American Banking Association

William Johnson of the American Banking Association also entered a statement of support. Johnson serves as the Vice President and Senior Advisor for Risk Management Policy for the ABA. He also chairs the ABA's Information Security Working Group and their Bank Security Committee. In addition, Johnson is on the board of the FS-ISAC, on the Steering Committee for NACHA's Internet Council. The ABA is of huge importance to the banking world. 92% of the $13 Trillion in U.S. Banking assets are held by ABA members.

Statistics shared by Johnson include:
- 2010 was the first time where electronic debit card fraud exceeded traditional check card fraud
- 96% of all banks incurred losses from debit card fraud in 2010. Community Banks experiencing such fraud grew from 61% in 2006 to 96% in 2010.
- In 2009, 36% of banking customers said "online banking" was their primary means of interacting with their bank. In 2010 it was 62%.
- In 2011 4.9% of the U.S. adult population was a victim of identity theft.
- In 2009, the average victim of identity theft spent 68 hours and $741 in costs repairing the damage caused by identity theft.

Kyrus Technologies

Jesse Kornblum (yes, THAT Jesse Kornblum!) of Kyrus Technologies also prepared an affidavit of support for the lawsuit. Jesse was a Computer Crime Investigator for the Air Force Office of Special Investigations, ultimately becoming the Chief of the Computer Crime Investigations Division of the Air Force Office of Special Investigations.

In his role at Kyrus Technologies he and his team reverse engineered many of the Zeus malware binaries, comparing known source code and various binaries, and showing conclusive evidence of shared code between SpyEye, ICE-IX, and Zeus (which they refer to as PCRE). For the malware reverse engineering geeks, be sure to read the Kornblum Declaration (55 page PDF).

Orrick, Herrington, Sutcliffe

Kornblum's declaration was for the malware geeks. For the lawyers in the readership, Jacob Heath of the law firm Orrick, Herrington & Sutcliffe LLP also makes a declaration in support of the call for the Temporary Restraining Order. Orrick is the counsel of record for Microsoft in this matter.

They have arranged the website on which these procedings are located, as well as the publication of proceedings throughout "Russia, Ukraine, and Romania, where Defendants are generally believed to reside."

Heath's declaration - part one carefully walks through the finer points of ICANN's Policies and procedures showing the clauses that give them the rights to suspend, cancel, or seize the domain names in question, as well as terms of service at BURSTNET (AKA Network Operations Center, Inc.) that require the client's to register domains using truthful information. "Failure to comply fully with this provision may result in immediate suspension or termination of your right to use BurstNET(R) Services" and also showing the BurstNET policies stating that BurstNET services "may be used only for lawful purposes" and specifically banning malware, botnets, spam, or phishing uses of these services.

How thoughtful of Microsoft to help BurstNET enforce these policies!

For many more details, and a video about this weekend's raid at BurstNet in Scranton, Pennsylvania, please see the Official Microsoft Blog.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.