Microsoft names two 'John Does' from Zeus disruption

News by Dan Raywood

Microsoft has named two men as being members of the 'Zeus botnet family' and being in the team behind the banking Trojan.

Microsoft has named two men as being members of the ‘Zeus botnet family' and being in the team behind the banking Trojan.

Richard Domingues Boscovich, senior attorney at Microsoft's digital crimes unit, said that of those originally named as 'John Does 1-39', he was "pleased to announce that we have identified and named two defendants as members behind the Zeus botnet family". He also said that it will be referring the case to the FBI for criminal review and turning over all of the evidence gathered so far, including evidence of a broader group of perpetrators beyond the named defendants.

The two men, Yevhen Kulibaba and Yuriy Konovalenko, are currently serving a custodial sentence in the UK for other Zeus malware related charges. He said: “The original complaint was filed against a group of ‘John Doe' defendants and with the exception of Kulibaba and Konovalenko, our best efforts to identify the remaining John Doe defendants turned up no response.

“We will continue our efforts to serve defendants Kulibaba and Konovalenko, and the John Doe defendants, with this amended complaint. Meanwhile, the botnets' command and control (C&C) domains remain disabled. It is Microsoft's goal to ensure that these domains ultimately remain disabled, and we hope the evidence collected from these domains leads to a criminal investigation.”

The disruption of Zeus' C&C servers in March was not intended as a permanent shutdown, rather as a "strategic disruption of operations" in order to mitigate the threat to cause long-term damage to the cyber criminal organisation that uses and relies on botnets.

Boscovich said that the Electronic Payments Association (NACHA) has seen a decline in regards to Zeus infection rates, with 779,816 infections between 25th and 31st of March 2012, with this dropping to 336,393 for the period of 17th to 23rd of June 2012.

Boscovich said: “Additionally, as a result of sink holing the Zeus IPs seized during Operation b71, we have learned the locations of hundreds of thousands of computers infected with Zeus malware. These computers belong to innocent people, and we want to rid their machines of the Zeus malware for good.

“To this end, we will coordinate with internet service providers (ISPs) and Community Emergency Response Teams (CERTs) around the world to help people regain control of their Zeus infected computers.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews