If the miscreants behind the ZeuS botnets that Microsoft sought to destroy with a civil lawsuit last month didn’t already know that the software giant also wished to unmask them, they almost certainly do now. Google, and perhaps other email providers, recently began notifying the alleged botmasters that Microsoft was requesting their personal details.

Page 1 of a subpoena Microsoft sent to Google.

Microsoft’s unconventional approach to pursuing dozens of ZeuS botmasters offers a rare glimpse into how email providers treat subpoenas for account information. But the case also is once again drawing fire from a number of people within the security community who question the wisdom and long-term consequences of Microsoft’s strategy for combating cybercrime without involving law enforcement officials.

Last month, Microsoft made news when it announced a civil lawsuit that it said disrupted a major cybercrime operation that used malware to steal $100 million from consumers and businesses over the past five years. That legal maneuver may have upset some cyber criminal operations, but it also angered many in the security research community who said they felt betrayed by the action. Critics accused Microsoft of exposing sensitive information that a handful of researchers had shared in confidence, and of delaying or derailing international law enforcement investigations into ZeuS Trojan activity.

Part of the controversy stems from the bargain that Microsoft struck with a federal judge in the case. The court granted Microsoft the authority to quietly seize dozens of domain names and Internet servers that miscreants used to control the botnets. In exchange, Microsoft agreed to make every effort to identify the “John Does” that had used those resources, and to give them an opportunity to contest the seizure. The security community was initially upset by Microsoft’s first stab at that effort, in which it published the nicknames, email addresses and other identifying information on the individuals thought to be responsible for renting those servers and domains.

And then the other shoe dropped: Over the past few days, Google began alerting the registrants of more than three dozen Gmail accounts that were the subject of Microsoft’s subpoenas for email records. The email addresses were already named in Microsoft’s initial complaint posted at zeuslegalnotice.com, which listed nicknames and other information tied to 39 separate “John Does” that Microsoft is seeking to identify. But when Microsoft subpoenaed the email account information on those John Does, Google followed its privacy policy, which is to alert each of the account holders that it was prepared to turn over their personal information unless they formally objected to the action by a certain date.

According to sources who received the notices but asked not to be named, the Google alerts read:

“Hello,

Google has received a subpoena for information related to your Google
account in a case entitled Microsoft Corp., FS-ISAC, Inc. and NACHA v.
John Does 1-39 et al., US District Court, Northern District of California,
1:12-cv-01335 (SJ-RLM) (Internal Ref. No. 224623).

To comply with the law, unless you provide us with a copy of a motion
to quash the subpoena (or other formal objection filed in court) via
email at google-legal-support@google.com by 5pm Pacific Time on May
22, 2012, Google may provide responsive documents on this date.

For more information about the subpoena, you may wish to contact the
party seeking this information at:

Jacob M. Heath
Orrick, Herrington, & Sutcliffe, LLP
Jacob M. Heath, 1000 Marsh Road
Menlo Park, CA 94025

Google is not in a position to provide you with legal advice.

If you have other questions regarding the subpoena, we encourage you
to contact your attorney.

Thank you.”

Unlike most of its competitors in the Webmail industry, Google is exceptionally vocal about its policy for responding to subpoenas. This has earned it top marks from privacy groups like the Electronic Frontier Foundation (EFF), which recently ranked ISPs and social media firms on the transparency of their policies about responding to requests for information filed by the government or from law enforcement.

Google spokeswoman Christine Chen said she could not comment on specific legal cases, but said the company complies with valid legal process.

“We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying,” Chen said. “When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.”

At least 15 of the email accounts named in Microsoft’s lawsuit were addresses at hotmail.com or msn.com, both free Webmail services run by Microsoft. It’s not clear whether Microsoft gave those account holders a heads up about the subpoena. I asked Richard Boscovich, the former Justice Department lawyer and one of the architects of Microsoft’s legal strategy to target botnets with civil actions; he didn’t know, and referred me to Microsoft’s compliance unit. I’m still waiting for an answer. But it’s worth noting that Google was the only email provider on EFF’s list that was recognized for reliably alerting users about data demands. Microsoft was not recognized on this front.

Marcia Hofmann, a senior staff attorney with the EFF, said Microsoft’s legal effort underscores the tension between traditional law enforcement processes and companies using civil litigation to protect their own users and to vindicate their own interests.

“I suspect this is a situation where Microsoft feels law enforcement isn’t moving quickly enough,” Hofmann said. “But it also basically compromises law enforcement’s ability to do anything about the problem, and makes it possible for the suspects to evade any sort of law enforcement action.”

CUT-AND -PASTE JUSTICE?

Critics of the Microsoft effort say certain clues prove that the company borrowed and published raw intelligence without fully understanding the data’s true value and origins. Andy Fried, a former law enforcement official and owner of the Alexandria, Va. based security consultancy Deteque, was a co-founder of the little-known ZeuS Working Group, an ad hoc and extremely secretive collection of law enforcement officials and private security professionals dedicated to tracking ZeuS activity with the aim of bringing those responsible to justice.

“A basic tenet of this trust group is that everyone feels free to share data, but the rule is you never release that data outside of the trust group without express permission of whoever provided the data,” Fried said. “But there was no way that the data Microsoft published was received independently. Much of it was cut-and-pasted verbatim, and some of the data included in the search warrant was horrifically out of date.”

Yevhen "Jonni" Kulibaba

For instance, several of the key crime lords that Microsoft is seeking to unmask are already in prison for their crimes. John Doe #22 in Microsoft’s complaint — alleged to have used the nickname “Jonni” — is none other than Yevhen Kulibaba, a Ukrainian man arrested in London in 2010 and named as a ringleader of a money mule recruitment gang there. Kulibaba is currently serving a four-year jail sentence in connection with the ZeuS activity.

Microsoft said John Doe #23 goes by the alias “jtk,” yet this was the nickname used by Yuriy Konovalenko, the 30-year-old accomplice of Kulibaba who also was arrested as part of the U.K.-based ZeuS gang. Konovalenko likewise was sentenced to four years in jail.

Microsoft’s John Doe #24 is thought to go by the nickname “Veggi Roma,” but according to sources familiar with the case, this was an inside joke based on a lucky break that led police to the U.K. gang’s location. Investigators in London had been working with the FBI to monitor the communications of several members of the London-based ZeuS gang, but for some time they did not know whereabouts of the men, who were known at the time only as Jonni and Jtk. That is, until Jtk used his Internet connection to order a pizza to be delivered to their apartment. A “Veggi Roma” pizza, to be exact.

Yuriy "jtk" Konovalenko

Astute readers may be wondering how it is that Google’s emails and Microsoft’s subpoenas to the John Does named in the complaint are now public. According to Fried, that’s because some of the email addresses listed in Microsoft’s complaint as belonging to John Doe miscreants were in fact addresses used by security researchers who had registered domains to serve as “sinkholes” for one or more ZeuS botnets. Sinkholing is a practice by which researchers redirect the identification of the botnet control servers to their own server, so that malicious traffic that comes from each bot-infected client goes straight to the research box, ready to be analyzed.

COLLATERAL DAMAGE

Microsoft maintains that it worked with several security industry partners, and that it was operating under the assumption that the information those partners provided was either their own, or was freely available amongst them for the purpose of securing the Internet.

Microsoft’s Boscovich said the company did not work with law enforcement on this operation, and so had no idea whether there were ongoing or adjudicated investigations related the John Does named in its case. He emphasized that protecting customers was the company’s number one priority.

“Our main objective was to stop the bleeding, and everything we do is specifically related to that mission,” Boscovich said. “Congress specifically envisioned that it was and is appropriate for private entities to protect themselves and their interests, and as in this case, the interests of our customers. People are continuing to be victimized, computers compromised, identities stolen, and now those systems are posing a threat to other people on internet, irrespective of what operating systems they’re using.”

For his part, Fried said he believes Microsoft will soon find it more difficult to obtain sensitive information that security researchers and law enforcement gather about key cybercrime suspects. He also fears that the ZeuS working group and other informal information-sharing groups may disband or become less effective as a result of this case.

“Microsoft discounted everyone but themselves with their initial action, and they’ve compounded things pretty quickly with these subpoenas,” Fried said. “This is also going to cause collateral damage for a lot of trust groups, while all that they’ve accomplished is little more than a very miniscule inconvenience to the bad guys, whose servers were back up within 24 hours of the takdeowns.”

Jon Praed, founding partner of the Arlington, Va. based Internet Law Group, said he’s sympathetic to Microsoft’s position, and believes Google should have taken the trouble to investigate whether the John Doe accounts named in Microsoft’s lawsuit deserved to be notified.

“Unfortunately, most email providers have a one-size-fits-all privacy policy,” Praed said. “All of these companies have tried to create the legal right to do the right thing, but they’re making almost no attempt to apply that policy in practice. At the same time, Microsoft is spending a tremendous amount of money trying to stop this activity, and I don’t know anyone else out there who is even trying to do this.”

NB: This story has been updated several times. Please read through to the end

Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Image courtesy ZeusTracker

Sold for anywhere from $300-$2,000 in shadowy underground forums, ZeuS is a software kit that allows criminals to set up distributed networks of hacked PCs, usually for the purposes of siphoning user names, passwords and financial data from victim computers. A criminal operating a ZeuS botnet can control the systems from afar using a central “command and control” (C&C) server, and it is not uncommon for a single ZeuS C&C server to control tens of thousands of infected hosts. In most cases, the infected PCs continuously upload the victim’s personal data to so-called “drop servers,” or data repositories online that are specified by the criminal controlling the ZeuS botnet.

According to Roman Hüssy, the Swiss information technology expert who runs ZeusTracker – probably the most comprehensive site that tracks ZeuS activity — on the evening of Mar. 9, the number of active ZeuS C&C servers he was tracking fell instantly from 249 to 181.

In an online chat conversation with Krebs on Security, Hüssy said the average ZeuS C&C he tracks has anywhere from 20,000 to 50,000 unique infected computers under its thumb. That means this takedown may have had a massive impact on a large number of criminal operations. For starters, even if we take a conservative estimate, and assume that each of the C&Cs knocked offline controlled just 25,000 PCs, that would mean more than 1.7 million infected systems were released from ZeuS captivity by this apparently coordinated takedown.

Hüssy said the individual machines are still infected with ZeuS, but he doubts the criminals who previously controlled them will be able to recapture those systems. Hüssy said given that the ISPs that were disconnected had a reputation as “bulletproof” — or immune to takedown by law enforcement — the criminals running their ZeuS controllers there probably did not think to place backup servers at other ISPs.

According to Hüssy’s data, the outage began after an Internet service provider called Troyak and apparently situated in Kazakhstan was disconnected from its upstream Internet providers. Troyak served at least six other smaller networks that Hussy said were also were home to a large number of ZeuS C&Cs, and those networks also were impacted by Troyak’s demise.

It’s not clear who or what is responsible for this episode. But one thing is clear: Someone or something is directly taking on the infrastructure used to distribute and control hundreds of ZeuS botnets around the globe.

The malicious software that installs ZeuS on victim PCs is most often distributed via spam, which frequently takes the lure of a spoofed e-mail from the Internal Revenue Service, Facebook, and other well-known organizations. The messages typically include a link to a site that attempts — by exploiting software vulnerabilities or by tricking the user — into installing a small program that lets the attackers seize control over the systems remotely.

Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, Va., has been tracking ZeuS related spam and ZeuS related domains for many months now. The ZeuS gangs he has been fighting have for more than a year now been blasting out ZeuS primarily using the Pushdo botnet, another massive grouping of hacked machines that experts have shown is available for rent on criminal forums to vetted spammers and other miscreants.

Fried said the ZeuS gangs he’s been tracking launch a new spam campaign every few days. But on Feb. 27th, the spam pushing ZeuS abruptly stopped, and hasn’t resumed since, Fried said.

“Nobody seems to understand why yet,” said Fried, a former cyber fraud investigator with the IRS. “All I know is since the 27th, we’ve seen none of our traditional ZeuS spam. I mean, we’ve seen them take breaks before, but nothing at all like this.”

More to come. Stay tuned.

Update, 12:10 p.m. ET: Paul Ferguson, a threat researcher from Trend Micro, pinged me to say that that the satellite hosting providers linked to Troyak were located in Russia and Ukraine, not Kazakhstan, as MaxMind’s IP address locator service suggests.

Update, 4:36 p.m. ET: Sadly, it appears that Troyak — the Internet provider that played host to all these ZeuS-infested networks that got knocked offline yesterday — has since found another upstream provider to once again connect it to the rest of the Internet.

Update, Mar. 11, 5:48 p.m. ET: Zeustracker recently posted this update to its site: Bad news: Since Troyak started their peering with RTCOM-AS, the number of active ZeuS C&C servers has increasted from 149 up to 191. For now, more than 40 ZeuS C&C servers are back online! This means that the cybercriminals are now able to move the stolen data to a safe place or a backup server. Additionally, the cybercriminals are able to update their config files served to the infected clients to set up a fallback server (if Troyak will disappear from the internet again).