Microsoft leads disruption of largest infected global PC network

SAN FRANCISCO Thu Dec 5, 2013 8:37pm EST

Men install Microsoft Corp's Windows 8 operating system on their laptops, as Windows 8 goes on sale after midnight, along a street at the Akihabara district in Tokyo October 26, 2012. REUTERS/Toru Hanai

Men install Microsoft Corp's Windows 8 operating system on their laptops, as Windows 8 goes on sale after midnight, along a street at the Akihabara district in Tokyo October 26, 2012.

Credit: Reuters/Toru Hanai

Related Topics

SAN FRANCISCO (Reuters) - Microsoft Corp said on Thursday it had disrupted the largest network of compromised personal computers, involving some 2 million machines around the world, since it stepped up its battle against organized online criminals three years ago.

The Redmond, Wash.-based software giant filed a lawsuit in Texas and won a judge's order directing Internet service providers to block all traffic to 18 Internet addresses that were used to direct fraudulent activity to the infected machines.

Law enforcement in many European countries served warrants at the same time, seizing servers expected to contain more evidence about the leaders of the ZeroAccess crime ring, which was devoted to "click fraud."

Such rings use networks of captive machines, known as botnets, in complicated schemes that force them to click on ads without the computer owners' knowledge. The schemes cheat advertisers on search engines including Microsoft's Bing by making them pay for interactions that have no chance of leading to a sale. Microsoft said the botnet had been costing advertisers on Bing, Google Inc and Yahoo Inc an estimated $2.7 million monthly.

The coordinated effort marks the eighth time Microsoft has moved against a botnet and a rare instance of it doing serious damage to one that is controlled with a peer-to-peer mechanism, where infected machines give each other instructions instead of relying on a central server that defenders can hunt down and disable.

But the ZeroAccess botnet still had a weakness: The code in the infected machines told them to reach out to one of the 18 numeric Internet addresses for details on which ads to click.

Microsoft recently opened a new Cybercrime Center in Redmond and is using new tools in its efforts. They are helped by a provision in trademark that allows pretrial seizure of suspected counterfeit goods, including websites that, as in the present case, are spreading tainted versions of the Internet Explorer browser.

The company is working with national computer security authorities in various countries and with Internet service providers to notify individual computer owners with infected machines, hoping to reach most of them before the fraudsters can spread new instructions.

Microsoft has been sharing evidence with the FBI and Europol, the continent's law enforcement coordinating service. National agencies took part in seizure actions in Germany, Switzerland, Latvia, Luxembourg, and the Netherlands.

For now, at least, the fraud by this network has stopped, said Microsoft Assistant General Counsel Richard Boscovich.

The operators of the botnet are believed to be in Russia, while the author of the malicious software distributed on it could be based elsewhere, Boscovich said.

(Reporting by Joseph Menn; Editing by Ken Wills)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (2)
yurakm wrote:
OK, the malware is making advertiser to pay Microsoft, Google, and Yahoo for a fictitious service.

I do not understand, why criminals would spend a lot of labor and other resources to defraud the advertisers, given that that is Microsoft or Google who get the spoil. What benefits the fraudsters receive? Just a vandalism?

Dec 05, 2013 11:37pm EST  --  Report as abuse
reality-again wrote:

Good question!
Those criminals get paid by companies who are looking to deplete their competitors’ advertising budget, and by website owners who share their earnings from fraudulent clicks on ads with both those criminals and the companies who serve the ads, such as Google, whose absence from this effort to irradicate these cyber crimes is interesting…

Dec 06, 2013 8:33am EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.