back to article Microsoft takes down ZeuS botnets

A Microsoft-led operation resulted in the takedown of key servers associated with the infamous ZeuS and SpyEye banking Trojan botnets on Friday. Months of investigation culminated in the coordinated seizure of command-and-control servers associated with the botnets and hosted in Scranton, Pennsylvania, and Lombard, Illinois. …


This topic is closed for new posts.
  1. S4qFBxkFFg

    I'd buy them a drink.

    It's rare having any appreciation for Microsoft's efforts, but checking the bin in my gmail account, there's no spam whatsoever, where normally there'd be a few dozen items.

    1. Spearchucker Jones

      Re: I'd buy them a drink.

      Agreed. I'd love to see a similar initiative from Google* - given the reach of Gmail, and their server resources.

      * Not holding my breath.

    2. Arctic fox
      Thumb Up

      Re: "I'd buy them a drink." I agree.

      Whilst one can of course say (with justice) that they should have begun this a long time ago it is indisputably true that in recent years they have been devoting increasing efforts and considerable resources (=a great deal of wonga and man-hours) to making a significant dent in the problem. Good to see.

    3. Anonymous Coward
      Anonymous Coward

      Re: I'd buy them a drink.

      ... but it was Microsoft's crappy OS that gave them the ability to do their naughty deeds in the first place!

      1. Gordon Fecyk
        Thumb Down

        And you wonder why I go a little mad...

        Read this and this before you blame Microsoft for a botnet team's actions.

        1. eulampios
          Thumb Up

          @Gordon Fecyk Still in 2001?

          >>Wednesday, 4 April 2001 DO YOU USE...

          Gordon, where have you been in 2004 when I switched to Linux Sorry, too late I did not know about a "The Lion worm — yet another variant of the Ramen worm" back then. Spooky indeed.

          "If youth only knew: if age only could"

          Your post is most anti-Microsofty today.

        2. This post has been deleted by its author

      2. This post has been deleted by its author

      3. kain preacher

        Re: I'd buy them a drink.

        Wait so if I download some thing, intentionally install it, my OS should stop me ? Explain how that works.

        1. Tom 13


          No, the point is it should ONLY install things you intentionally install, not just any damn thing sitting on a website. Websites should only be able to display content unless explicit action is taken to cause something else to occur, and I'll even go so far as to include automatically starting an embedded media stream.

    4. Hardcastle the ancient

      Re: I'd buy them a drink.

      Whilst I am glad to see them helping the authorities and taking some responsibility for what they have wrought, it still seems odd to me that it is MS and not some government body leading the action.

      it is as though cyberpolicing has been privatised.

      but any take down is a good takedown. Send in the sherrif!

    5. This post has been deleted by its author

    6. eulampios

      Save this drink for the spam filter

      >>the bin in my gmail account, there's no spam whatsoever

      So you expect it in the spam box not your inbox? Thanks should be addressed to the spamfilter (supposedly based on spamassassin). My spam mostly lands there, unlike some of my friends with hotmail and others.

      Or buy them some cheap ... lemonade, my older gmail account spambox does seem to receive less spam though this month. :)

    7. kb

      Re: I'd buy them a drink.

      What is sad is as someone who fixes and sells Windows PCs frankly it isn't Windows fault, its PEBKAC. you see the malware guys have figured out the "dancing bunnies' tactic, whereby you offer the victim something they REALLY want, be that pron, free software, even something as unlikely as a chance to win an iPod, and then the user will happily disable their own security and infect their own machines!

      The only time I ever had to throw someone out of my shop was over a dancing bunny, where this person refused to listen to me when i told him that Limewire had been dead for years, so instead he takes his brand new PC and when he finds some malware listed as "the new limewire' he first tries to disable and then when that doesn't work REMOVES the AV AND UAC protections and then had the gall to complain because "The machine shouldn't have gotten infected like that" and demand i repair it for free. When i threw him out of my shop he was yelling "It says right there it is the new Limewire so you MAKE IT WORK!"

      Sad that Windows so often gets blamed when I'd say a good 99% of the infections I see are just from mind numbing stupidity. I've seen users give up their passwords, lower their security, do whatever the malware writers ask them to, all to get some "prize' which of course only is a trojan package. You can design the most secure OS on the planet and when you have the user actively trying to dismantle your security you're as good as doomed.

  2. Alister


    "The operations resulted in the dismantling of two IP addresses behind the ZeuS ‘command-and-control’ structure."

    So... how do you dismantle an IP address?

    Tear off each octet and hammer it into submission?

    Or just forcibly remove the dots so it all falls apart...

    1. Anonymous Coward
      Black Helicopters

      Re: Interesting...

      I rather like the idea of a Microsoft assassin walking up behind the server with a pair of gardening shears, cutting the Ethernet cables and then bundling the server into a black van with a cloth over it's diagnostic panel so that it may be waterboarded for information in a dark room in the basement of the Redmond campus 200ft underground shielded from the world's eyes.

    2. Anonymous Coward

      Re: Interesting...

      "how do you dismantle an IP address?"

      Null route it on all core routers.

      But seriously, what needs to happen IMHO is:

      thread collect_ips

      while true

      collect IPs connecting to botnet Command and Control

      store in infected computer database


      end thread

      thread enforcement

      while true

      For all national governments

      for all ips in infected computer database

      look up owner of IP block containing IP

      if owner is in government's country

      if owner not contacted yet

      snailmail owner "this machine is infected. See it gets cleaned up. You have 2 weeks to comply." --signature=required

      owner contacted

      else if time of contact > 2 weeks

      disconnect owner from network.

      end if


      look up owner's peering partners in country

      for all peering partners

      if partner not contacted yet

      snailmail partner "this machine is infected. Either compel owners of netblock to fix it or de-peer owners. You have 2 weeks to comply." --signature=required

      parnter contacted

      else if time of contact > 2 weeks

      disconnect partner from network.

      end if

      end for

      end if

      end for

      end for

      end while

      end thread

      Harsh, but it would put a big dent in the botnet problem: ISPs would either have to bestir themselves to contact their lusers and get them ot fix the machines, disconnect the lusers machines from the network, or face disconnection themselves. Even if an ISP is in a country that doesn't help enforce the rules of the road, that ISP eventually gets de-peered from enough countries that do enforce the rules that they cease to be an issue.

      (Now I await the masses of "how dare you ask anybody to be responsible for the consequences of their actions you fascist bastard!' to downvote me.)

      1. Tom 13

        @David D. Hagood

        Given the requirement for snailmail, I'd quibble with the specific time interval. Even in Western nations I think I'd want 3, though nor more than 4 weeks. For third world areas it would probably take significantly more in order to allow time to actually contact them and for them to have time to clean the machine.

        But the overall algorithm looks good, and even with longer lead times would still get to the desired result.

        1. Anonymous Coward
          Anonymous Coward

          it was indented

          It was more readable when indented, but the Reg undid that....

      2. Anonymous Coward
        Anonymous Coward

        Re: Interesting...

        if I recieved a letter telling me my pc was infected, it would be binned straight away.

  3. Anonymous Coward
    Anonymous Coward

    Act on the infected machines

    So, have they added appropriate legal terms to their EULA yet, so they could use botnet command channels to tell infected machines to warn the user / disinfect / do something useful?

  4. zaax

    Why not secure the hosts (as the police / authorities would make a burgled house safe, then bill the owner) by adding an anti-virus / bot software on the host.

  5. Microphage

    Mustn't ever mention Windows ..

    "A Microsoft-led operation resulted in the takedown of key servers associated with the infamous ZeuS and SpyEye banking Trojan botnets on Friday".

    1. Gene

      Re: Mustn't ever mention Windows ..

      Don't have to - it's understood.

  6. eulampios

    "such and such recommends Windows 7!"

    >>Microsoft has detected more than 13 million suspected infections of ZeuS and SpyEye-related malware worldwide, with more than 3 million in the United States alone.

    When a PC maker suggests something like "We recommend Microsoft Windows Vista/7/8" it should really add "and Microsoft may detect you to be among the millions of malware infected worldwide!" In the US specifically, the slogan can finish with "Isn't it cool?"

    Thumb Up

    Nice work Microsoft!

  8. Rick Giles


    All they [Microsoft] did was stub their [the criminals] toe.

    Switch to Linux already and M$ will go away. And so will the script kiddies.

  9. Dennis Wilson


    The airforce would have done a better job.

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022