Microsoft names two defendants in Zeus botnet case

  • Tim Greene (Network World)
  • — 03 July, 2012 17:30

Microsoft has put faces and names to two of 39 "John Doe" defendants accused of running Zeus botnets responsible for scamming hundreds of millions of dollars from banks internationally.

The pair were part of the Zeus Racketeering Enterprise described earlier this year in court papers charging the group of anonymous defendants and whose command and control servers were taken down by Microsoft.

The two defendants are already serving time in U.K. prison after admitting last fall of similar crimes there.

BACKGROUND: Microsoft downs Zeus botnet but can't ID who's behind it

MORE: Microsoft leads seizure of Zeus-related cybercrime server

In Microsoft's official blog, Richard Domingues Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, says the company is referring the case to the FBI to see whether it wants to file criminal charges. That includes turning over all the evidence Microsoft has gathered for the two named defendants as well as others not named, Boscovich writes.

The two accused are Yevhen Kulibaba and Yuriy Konovalenko, both Ukrainian nationals and both of whom pleaded guilty to conspiracy to defraud and were sentenced to four and a half years in prison.

In the U.S. case, Microsoft filed a civil suit against 39 defendants it could identify by screen names and IP addresses but not names. Meantime, the company has somehow linked Kulibaba and Konovalenko to two of the John Doe descriptions.

The U.S. case is related to a much publicized seizure of command and control servers in Scranton, Pa., and Lombard, Ill., that were determined by a court to be part of a botnet that was scamming money out of financial institutions and stealing identities.

In his blog, Boscovich notes that since the March takedown of the servers, observed worldwide IP address infections attributable to Zeus has dropped from 779,816 to 336,393, based on sampling done during six-day periods in March and June of this year. The servers were seized March 23.

Read more about wide area network in Network World's Wide Area Network section.

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

File Malware Protection System

File MPS analyzes network file shares to detect and quarantine malware brought into the network through the Web, email, or other manual means, such as online file sharing.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »