The company said a consolidated legal case has been filed against those allegedly responsible that for the first time applies the Racketeer Influenced and Corrupt Organizations (RICO) Act.
Zeus has been a thorn in the side for financial institutions due to its stealthy nature and advanced spying capabilities that center around stealing online banking and e-commerce credentials for fraud.
According to a complaint filed under seal on March 19 in the U.S. District Court for the Eastern District of New York, Microsoft accused the defendants of infecting more than 13 million computers and stealing more than US$100 million over the last five years.
The civil complaint lists 39 “John Doe” defendants, many of whom are identified only by online nicknames, such as “Gribodemon” and “Harderman.”
It marks the latest action led by Microsoft against botnet operators. The company has gone to court before to gain permission to take control over domain names associated with the command-and-control infrastructure of botnets such as Kelihos, Rustock and Waledac.
The company has also initiated civil proceedings against unnamed operators but has had little success due to jurisdiction issues.
Microsoft also said this is the first time other parties have joined it as a plaintiff in a botnet case. The other plaintiffs are the Financial Services Information Sharing and Analysis Center, a nonprofit security organization, and the National Automated Clearing House Association (NACHA).
NACHA oversees the Automated Clearing House system (ACH), a widely-used but aging system used by financial institutions for exchanging details of direct deposits, checks and cash transfers made by businesses and individuals. It has been heavily targeted by Zeus.
The court granted Microsoft and its partners permission to seize servers located in Scranton, Pennsylvania, and Lombard, Illinois, on Friday. Microsoft has also taken control of 800 domains that are part of Zeus’ infrastructure.
Microsoft said the action resulted in the disruption of several of Zeus botnets, and it would now work to identify and notify people whose computers are infected with the malicious software. Also contributing to the action was Finnish security vendor F-Secure and Kyrus Tech, a security company.
Send news tips and comments to jeremy_kirk@idg.com