Freed at last: Microsoft claims to have 'liberated' 4.7 million infected PCs

Microsoft cracks another malware gang as evidence emerges that Gameover ZeuS botnet is being reassembled

Microsoft claims to have "freed" at least 4.7 million Windows PCs from the control of hackers and identified a further 4.7 million, following an operation last week by the company's Digital Crimes Unit.

According to Microsoft, the PCs are overwhelmingly based in India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico. The malware Microsoft targetted is known as Bladabindi and Jenxcus and was written and distributed by a network of developers based in Kuwait and Algeria.

However, the operation disrupted services at Reno, Nevada-based internet company Vitalwerks Internet, which Microsoft claims was being used by the cyber criminals to communicate with their network of compromised computers, using free accounts on the company's No-IP.com service.

The operation began on 30 June after the company obtained a federal court order enabling it to pursue the operation. Assistant general counsel of the unit, Richard Domingues Boscovich, claimed it was the most successful of the 10 it has launched to date.

"There are nearly 400 million victims of cyber crime each year. And cyber crime costs consumers $113bn per year," says David Finn, associate general counsel for Microsoft's Digital Crimes Unit.

"We understand that there's no one single country, business or organisation that can tackle cyber security and cyber crime threats alone. That's why we invest in bringing partners – law enforcement agencies, partners and customers – into this centre to work right alongside us," he adds.

Microsoft's Digital Crimes Unit claims a high correlation between counterfeit or pirated software and malware, not least because knock-off software is invariably bundled with malware by the people who crack and distribute the software.

At the same time, evidence is emerging that the cyber criminals behind the Gameover ZeuS banking Trojan have started to reassemble the botnets that were taken down in a global operation last month.

Researchers at Malcovery claim to have noticed spam-bearing malware that shares about 90 per cent of its code base with the original Gameover ZeuS Trojan.

What made that malware particularly potent was its use of a peer-to-peer mechanism for its authors to control their malware network. The latest varient doesn't contain this P2P element. Instead, it uses "fast-flux hosting", an always-changing network of compromised systems that act as proxies.

Should a Trojan on a PC fail to communicate with any of the controllers in the network, it falls back to a built-in domain name-generation algorithm, which the authors of the Trojan will register should their network get busted.

"Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists," wrote computer security specialist Brian Krebs.

He continued: "Unlike ZeuS – which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend – Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine.

"Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service attacks intended to distract victims from immediately noticing the thefts."