Earlier this week the computer security and antispam communities were puzzling over the sudden silence of the Rustock botnet, a particularly widespread and aggressive network of captive “zombie” computer that may be responsible for up to 40 percent of the world’s spam. Now, details are emerging about how Rustock was taken down—and credit goes to technology giant Microsoft (along with U.S. and international law enforcement) who were able to sever connections between Rustock’s army of captive computers and its command-and-control servers, effectively taking the botnet offline. Microsoft is now working to sanitize botnet computers before Rustock’s operators can find a way to re-harness them.
“[Rustock] is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake—and potentially dangerous—prescription drugs,” said Microsoft’s senior attorney in its Digital Crimes Unit Richard Boscovich, in a blog posting. “We are also now working with Internet service providers and Community Emergency Response Teams (CERTs) around the world to help reach out to help affected computer owners clean the Rustock malware off their computers.”
Microsoft’s action against Rustock was dubbed “Operation b107.” Microsoft’s approach was similar to how the company moved against the Waledac botnet a year ago, following months of investigative work at Microsoft and in conjunction with its partners—Microsoft specifically singles out security researchers at the University of Washington, network security operators FireEye, and the Dutch High Tech Crime Unit.
The actual takedown involved Microsoft and others filing suit against the botnet’s anonymous operators and making a successful pleading before a court to work with law enforcement to conduct a coordinated seizure of Rustock command-and-control servers operating in the United States. According to Microsoft, Rustock command servers were confiscated from five hosting providers in seven U.S. cities (including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, and Columbus), and coordination with upstream providers helped cut the servers off from the botnet controllers. Microsoft describes Rustock’s infrastructure as considerably more sophisticated than that used by Waledac, relying on hard-coded IP addresses that can’t easily be disrupted through DNS. Microsoft says it also worked with CN-CERT to block registration of domains in China that Rustock ould have used for new command-and-control servers.
Interestingly, drug-maker Pfizer is a party to the suits brought against Rustock’s operator, with its declaration that the drugs advertised via much of the spam sent by Rustock often have incorrect active ingredients, improper dosages, or are even contaminated with pesticides, lead, and other toxins.
At the moment, it’s safest to say Rustock has been made inactive, rather than having been taken down: the estimated million infected zombie computers are still out there, and if Rustock’s creators are wily they might be able to regain control over some portion of them. Microsoft emphasizes it’s strategy doesn’t just involve cutting the heads off botnets, but also cleaning malware off infected computers so the botnet can’t come back to life.