Microsoft helps FBI in GameOver Zeus botnet cleanup

The following post is from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

Following Monday’s multi-national action against the GameOver Zeus botnet, we’re pleased to announce that Microsoft, working closely with the FBI and industry partners, has taken action to remove malware, so that infected computers can no longer be used for harm.

GameOver Zeus, a variant of the Zeus (or Zbot) family of malware, is a highly prevalent password-stealing trojan, according to research by the Microsoft Security Intelligence Report. Dell SecureWorks Counter Threat Unit reports that it was the most active banking trojan of 2013. However, the impact of GameOver Zeus is not limited to the financial industry – nearly all major business and public sector organizations are impacted. Security researchers estimate that between 500,000 and 1 million computers worldwide are infected, and the FBI estimates that Gameover Zeus is responsible for more than $100 million in losses.

The FBI-led legal action and private-sector-led technical action against GameOver Zeus has taken down a portion of the command-and-control (C&C) infrastructure linked to domains generated by the malware and registered by the cyber-criminals. In this operation, codenamed b157, the FBI seized the registered domains. Microsoft did not file a civil action in this matter, unlike some of its previous actions. Unlike most botnet centralized C&C servers, GameOver Zeus uses peer-to-peer (P2P) technology, making its C&C decentralized, more elusive and more resilient than its predecessors.

Microsoft’s role in this technical action was to conduct analysis on the P2P network and develop a cleaning solution. Also, through an additional feed from Shadow Server, we are able to augment our visibility into the number of impacted IP addresses that feed into Microsoft’s Cyber-Threat Intelligence Program (C-TIP), and work closely with global Community Emergency Response Teams (CERTs) and Internet service providers (ISPs) to help owners of compromised computers regain control of their systems. Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.

This is the second botnet operation by Microsoft since the Nov. 14 unveiling of the new Microsoft Cybercrime Center – a center of excellence for advancing the global fight against cybercrime – and marks Microsoft’s ninth involvement in a botnet operation. Similar to Microsoft’s December 2013 ZeroAccess botnet case, GameOver Zeus is part of a cooperative effort with industry partners and law enforcement to take out cybercriminal networks to ensure that people worldwide can use their computing devices and services with confidence.


About GameOver Zeus

GameOver Zeus is spread through drive-by downloads, where the cybercriminals create a website that downloads malware onto any unprotected computer that visits that site. It is also distributed through the Cutwail spam botnet via phishing, where cybercriminals send counterfeit emails that appear to be legitimate communications from well-known businesses and organizations. These deceptive emails contain realistic language that could entice the recipient to click on a link or attachment, which ultimately deploys the GameOver Zeus malware onto the victim’s computer. The botnet automatically begins key logging when a user of an infected computer types into the Web browser, unwittingly giving cybercriminals access to passwords and private account information. The infected computer sends stolen data to the botnet’s C&C server, and stores it there for later use by the criminal.

GameOver Zeus has many similar properties to Zeus, such as logging keystrokes to steal banking credentials, but it also comes packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions. Variants have allowed GameOver Zeus to circumvent perimeter security including firewalls, webfilters and network intrusion detection systems, by disguising itself as an encrypted .EXE file. GameOver Zeus also deploys a process known as “web injects,” which provide the ability to modify the HTML of a target website, and inject additional form fields to dupe a victim into entering sensitive information beyond standard banking credentials. In addition to targeting financial institutions, GameOver Zeus has deployed web injects targeting department stores, social networking sites and webmail services. Most recently, a variant is targeting job seekers and recruiters by attempting to steal log-in credentials for popular job search sites. Unlike some of the earlier versions of Zeus, such as ICE IX, Spy Eye and Citadel, GameOver Zeus has not been marketed and offered for sale in the public domain.

This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Visit for detailed instructions on how to remove the GameOver Zeus trojan using malware removal or anti-virus software as quickly as possible.

Microsoft hires Preston McAfee as chief economist

The following post is from Harry Shum, Executive Vice President, Technology and Research, at Microsoft.

Data is a precious resource, and as a company we need to make fewer decisions on intuition and more based on market and other data. In a post last month, Satya discussed the need for companies to create a data-driven culture, and we want to be leaders as we explore creative, diverse strategies to create greater value for our customers and greater value from our product/service data exhaust.

One demonstration of our intent to lead is the hiring of Preston McAfee (pictured below and right) as chief economist, reporting to me. Preston, most recently director of Google strategic technologies, will be responsible for leading a team of economists who will work closely with Amy  Hood, our chief financial officer, and business and engineering groups across the company on developing new business models and metrics, designing marketplaces for advertising and apps, assisting with government relations and policy, and developing an economic strategy for the company.

This isn’t the first time Preston will be a chief economist. For five years, from 2007 to 2012, Preston was chief economist and research fellow for our search partner, Yahoo!, where he captured our attention by building a great team that became well known for doing interesting research while ensuring it was impacting current products.

Preston’s other current professional activities include advisor to Rand Education; council member, Game Theory Society; founding co-editor ACM Transactions on Economics and Computation; and member of the Board of Governors, Pardee Rand Graduate School.

Preston has impressive academic credentials, including most recently from 2004–2009 as the J. Stanley Johnson Professor, California Institute of Technology. He has been awarded several patents; published two economics textbooks, Introduction to Economic Analysis, a free, open sourced, creative-commons-licensed textbook spanning introductory and intermediate microeconomics; and Competitive Solutions: The Strategist’s Toolkit; and published extensively. In 2011, Preston was named a distinguished fellow of the Industrial Organization Society and in 2009 a Sparc Innovator. In 2008, he received an Honorary Doctorate in Economics from Purdue University; in 2006 an ASCIT Teaching Award for Mentoring; in 1997 the John S. Day Distinguished Alumni Award, Purdue’s Krannert School of Management; and in 1995 he was named a Fellow of the Econometric Society.

 Susan Athey (pictured left), the Economics of Technology Professor at the Stanford Graduate School of Business, and a long-time advisor to Microsoft who participated in our selection process, has deep respect for Preston’s work and accomplishments.

“Preston is a world-class researcher in micro-economics and marketplace design who brings to Microsoft a unique blend of research depth combined with real-world applicability. His past work has brought together economics, computer science, and engineering to create innovative solutions for problems such as the design of efficient auctions for telecommunications spectrum and display advertising. He’s also interested in applying economics and machine learning to inventing and building new tools that improve business operations and create value customers, so he brings a great skill set for the breadth of Microsoft’s products.”

Our industry is barely a hundred years old, and we’re certainly entering a new, more human era of computing where our technology and the companies that provide it will work more under the user’s control and at the user’s command. Our economic models are evolving, too. In the Ford economy, you got what was available: one car, one color; in the Starbucks economy you got what you ordered, no matter how complicated; and now in the Pandora economy, you get what you like because the service keeps learning about you, tuning itself to your needs and desires.

We are incredibly optimistic about the path forward for the IT industry and for Microsoft, and we’re excited for the role Preston will play in working directly with our senior leadership team and product/service groups across the company in leading Microsoft on this customer-centric path.