Microsoft has taken down a massive botnet, estimated to have had 1-million computers under its control and capable of sending billions of spam mails every day.
In a blog post, Richard Boscovich, senior attorney in the Microsoft Digital Crimes Unit (DCU), says the unit’s success in taking down the Rustock botnet follows the conclusion of last year’s Waledac operation.
“This operation, known as Operation b107, is the second high-profile takedown in Microsoft’s joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers.
“Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet,” Boscovih writes.
He says that, in order to take the botnet down, Microsoft filed suit against the anonymous operators of Rustock, based in part on the abuse of Microsoft trademarks in the bot’s spam.
“However, Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet.
“To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the US Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.
“Specifically, servers were seized from five hosting providers operating in seven cities in the US, including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus and, with help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it.
“This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnet’s operations.”
Microsoft is now working with Internet service providers and Community Emergency Response Teams (CERTs) around the world to help reach out to help affected computer owners clean the Rustock malware off their computers.
Although its behavior has fluctuated over time, Boscovich says Rustock has been reported to be among the world’s largest spambots, at times capable of sending 30-billion spam e-mails per day. DCU researchers watched a single Rustock-infected computer send 7 500 spam emails in just 45 minutes – a rate of 240 000 spam mails per day. Moreover, much of the spam observed coming from Rustock posed a danger to public health, advertising counterfeit or unapproved knock-off versions of pharmaceuticals.
DCU’s research shows there may be close to 1-million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer’s owner even aware that his computer has been hijacked.