The next time representatives from Microsoft come knocking on your door, it may be to actually seize your servers. And it is all legit, thanks to the RICO laws. The interesting thing is it is part of its digital crime efforts to disrupt botnet operators. On Friday, Microsoft staffers entered two hosting providers, one in Illinois and one in Scranton, Penn., to seize the command and control computers of two Zeus botnets. Microsoft had sued the operators on the grounds that the botnets violated their copyrights and trademarks by taking control over a series of Windows PCs.

The software giant is working with the Financial Services Information Sharing and Analysis Center and the Electronic Payments Association as well as vulnerability research firm Kyrus Tech. Kyrus reverse engineered seventy different binary files that were associated with Zeus activities and according to their blog entry today contained the following features:

  • HTTP and VNC-like servers.
  • Remote Process Injection. Uses WriteProcessMemory to inject executable code into a remote process. Generally this is either used by debuggers or malware. Since this binary has no debugger functionality, we assume the reason for its inclusion is malicious.
  • Screenshot Capability. Allows this application to save and send back screenshots to the server. This allows an attacker to see what exactly is showing on the victim's screen.
  • Keyboard Logging Capabilities. Allows the attacker to send keystrokes to a server to get victim's passwords that are typed into the keyboard.
  • Browser Logging and HTTP injection capability. Hooks nspr4.dll to allow logging and injection of HTTP and HTTPS data.
  • Windows mail download. Allows the attacker to view the victim's email if the user uses Windows Mail or Outlook Express.

After it has done all of this nasty business, it then runs a batch file to delete itself.


Zeus is highly pernicious and a very active piece of malware, infecting millions of computers around the world. What makes it nastier is that the source code is freely available online, and there are several ways to purchase turnkey implementation kits as well. This is Microsoft's fourth anti-Zeus raid, showing that civil litigation against malware operators is becoming more commonplace.

Nevertheless, this is a small step forward towards fighting cybercriminals. As the Kyrus blog states, "Fighting the discrete activities launched from such a platform is like shooting down a plane launched from an aircraft carrier: they're just going to send more planes. If you want to have an impact you need to negatively impact the carrier."

But it may not be enough."Ultimately, the most important thing will be to bring those who write the malware, sell the malware, buy the malware, or profit from its use to justice. Taking over web servers is one thing, but unless the people behind the Zeus and other malware operations are brought to book, the crime is just going to continue." says Graham Cluley, writing today in the Sophos Naked Security blog.