Microsoft’s stealth attack against the infamous Rustock botnet seems to have worked—the botnet has remained offline. However, Microsoft’s Digital Crimes Unit is still going after the operators, who it believes operated (and perhaps are still operating) out of Russia—and this time it’s through the press and legal process, sending notices of court orders to folks believed to be involved, and taking out 30-day ads in leading Russian newspapers in an effort to get the owners of the IP addresses that controlled Rustock to come out of the woodwork.
“Although history suggests that the people associated with the IP addresses and domain names connected with the Rustock botnet are unlikely to come forward in response to a court summons, we hope the defendants in this case will present themselves,” Microsoft senior attorney Richard Boscovich wrote in the company’s official blog. “If they do not, however, we will continue to pursue this case, including possibly within the Russian judicial system.”
Sending notices to the physical and email addresses associated with the IPs that controlled the botnet and taking out the ads helps Microsoft meet its legal obligations to make a “good faith” effort to contact the owners of the addresses. Microsoft’s take-down of the Rustock botnet essentially involved a coordinated take-down of its command-and-control servers, many of which were actually operating in the United States. Microsoft coordinated with security researchers, upstream providers, and law enforcement to conduct a coordinated seizure. While the takedown was conducted with court authority, the company now has to go through the due diligence to contact the owners of the IP addresses and systems involved so, if they like, they can get their day in court.
Nobody is really expecting the Rustock operators to turn up, however.
Microsoft has noted that since the takedown, the number of PCs infected with the Rustock botnet has declined substantially as more PC users update their software and remove malware from PCs. Global levels of spam also saw a significant decline in the first quarter of the year, in part due to Rustock being taken down.
Rustock’s command-and-control servers might be offline, but that doesn’t take malware off infected PCs, and there’s still a danger that, somehow, the Rustock operators might be able to re-capture their botnet of infected systems and resume their spamming. Unlike the CoreFlood botnet, there doesn’t appear to be a backdoor into Rustock that enables substitute command-and-control servers to issue shutdown or removal commands to infected machines—and do you really want someone sending commands to delete malware on your system, anyway?