Yesterday we learned from FireEye researchers that Microsoft failed to take down 3 command and control (C&C) servers used by the ZeuS botnet that it disrupted last week. As it turns out, Microsoft left the servers alive intentionally.
We have contacted Microsoft representatives and asked for clarifications regarding the 3 mystery C&C servers.
It sounds like FireEye experts are not familiar with the strategy adopted by the Redmond company for this major takedown.
While Microsoft clarifies matters for FireEye, Richard Boscovich, senior attorney at Microsoft Digital Crimes Unit provided a statement to explain precisely why the servers were left unharmed.
Here’s what Mr. Bosovich’ said:
The command and control servers referenced in FireEye's blog post were not seized as part of the March 23rd raids. Microsoft intentionally did not target these command and control servers for strategic reasons and believes those servers may be part of the Zeus botnets’ fallback mechanism.
As we have said before, this was the first action is a long term campaign. Additionally, we have just received court approval to begin looking at the evidence seized as part of the raids and will be sure to share more information when it is available.
It’s important to note that there are hundreds of Zeus botnets with numerous command and control servers operating today. Due to the unique complexity of Zeus botnets, the goal here was not the permanent shutdown of all impacted targets.
Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long term damage to the cybercriminal organization that relies on these botnets for illicit gain.