Microsoft Instrumental in the Rustock Botnet Take Down

Friday, March 18, 2011



Rustock, which first emerged around 2006 and is the largest and most active spam botnet in the world, was decommissioned this week - at least for now.

The Rustock botnet, which controlled an estimated 250,000 computers, was thought to have sent billions of product-related spam emails per day.

Last month Microsoft provided documentation that detailed the botnet's extensive structure in a federal court filing that was part of a lawsuit against a number of John Doe defendants.

Acting on the information Microsoft provided, federal marshals raided several internet hosting providers across the U.S. and seized servers suspected of being used as Rustock command and control units.

Microsoft was also instrumental in efforts to shut down the Waledac botnet last year, though the operation is still functioning at a diminished capacity.

"Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet. To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis," Microsoft's senior attorney in Digital Crimes Unit Richard Boscovich said in a blog post.

"Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it. This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnet’s operations," Boscovich wrote.

The raids seem to have had an immediate impact in the reduction of spam distribution, but it is likely that the Rustock botnet will re-emerge at some point given the number of companies willing to provide hosting services for botnet command and control operations.


Possibly Related Articles:
Microsoft SPAM Botnets Headlines Raid Lawsuit Rustock
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.