Microsoft Names Two Zeus Botnet Operators


Three months after initially disrupting the Zeus botnet, Microsoft officials have named two of the people who they think are behind the malware network, a pair of Ukrainians who already are sitting in jail in the UK.
From the beginning of the anti-Zeus operation, which became public in March, Microsoft officials and lawyers from other organizations, including NACHA, have been trying to identify the dozens of John Does named in the initial legal complaint. Those efforts hadn’t met with any success, until last week when Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as two of the John Does behind the Zeus botnet. The company has told both the FBI and the authorities in the UK of their findings, and also included the men’s names in the amended legal complaint.


“In an amended complaint, filed last week, Microsoft named Yevhen Kulibaba and Yuriy Konovalenko as defendants. Microsoft has learned that these particular defendants were already serving jail time in the United Kingdom for other Zeus malware related charges. Microsoft has advised the U.K. government of the criminal referral to the FBI. By referring this case to the FBI, as we did in September 2011 with our case against the operators of the Rustock botnet, we are affirming our commitment to coordinating our efforts with law enforcement. Our goal is always to work in ways that are complementary to law enforcement. Our hope is that the evidence we provided to the FBI in this case will lead to a criminal investigation that brings the perpetrators to justice,” Richard Boscovich, a senior attorney in Microsoft’s Digital Crimes Unit, said in an analysis of the operation.
The anti-Zeus operation is the latest in a line of botnet takedowns and anti-cybercrime actions undertaken by the Microsoft DCU, a relatively new gorup inside the company that’s devoted to investigating and helping stem cybercrime. The DCU also was involved in the takedown of the Rustock botnet, as well as operations against the Kelihos and Waledac botnets.The Zeus takedown hs been unique for a couple of reasons, chief among them the use of the civil section of the RICO anti-racketeering statute to aid in the investigation.
“In criminal court cases, the RICO Act is often associated with cases against organized crime; the same is true in applying the civil section of the law to this case against what we believe is an organization of people behind the Zeus family of botnets. By incorporating the use of the RICO Act, we were able to pursue a consolidated civil case against everyone associated with the Zeus criminal operation, even if those involved in the ‘organization’ were not necessarily part of the core enterprise,” Boscovich said at the time of the initial Zeus takedown.
Microsoft is working with ISPs to help them identify Zeus-infected machines and alert the users about the infection.