Microsoft confirms takedown of Rustock botnet

Microsoft's digital crime unit (DCU) has announced that it has taken down the Rustock botnet.

Following its success in taking down the Waledac botnet a year ago, Richard Boscovich, senior attorney at the DCU, said that Rustock was estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day. The most recent activity was with a run of pharmaceutical spam at the start of this year.

Boscovich said that the joint effort between the DCU, the Microsoft Malware Protection Center and Trustworthy Computing, known as Project MARS (Microsoft Active Response for Security) relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control.

“As in the legal and technical measure that enabled us to take down the Waledac botnet, Microsoft filed suit against the anonymous operators of the Rustock botnet, based in part on the abuse of Microsoft trademarks in the bot's spam,” said Boscovich.

“However, Rustock's infrastructure was much more complicated than Waledac's, relying on hard-coded internet protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet. To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the US Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.”

He said that specifically, servers were seized from five hosting providers operating in seven US cities: Kansas City, Scranton, Denver, Dallas, Chicago, Seattle and Columbus. He said: “With help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it. This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnet's operations.”

The DCU said that it is now working with internet service providers and community emergency response teams (CERTs) around the world to help affected computer owners clean the Rustock malware off their computers.

The sudden decline in spam was noted by several commentators. Security blogger Brian Krebs said that the global volume of junk email sent worldwide took a massive nosedive today, following the coordinated takedown of Rustock.

Talking to him, Joe Stewart, director of malware research at Dell SecureWorks, said that none of the 26 Rustock command and control networks he had been monitoring were responding as of Wednesday afternoon.

“This looks like a widespread campaign to have either these [internet addresses] null-routed or the abuse contacts at various ISPs have shut them down uniformly. It looks to me like someone has gone and methodically tracked these [addresses] and had them taken out one way or another,” said Stewart.

Paul Wood, senior analyst of MessageLabs Intelligence at Symantec, said: “For the last year or so, Rustock has been the dominant source of spam in the world, by the end of 2010, accounting for as much as 47.5 per cent of all spam. At its peak it was responsible for more than half of all global spam. However, in the last few months, other botnets have been steadily increasing their output to match, or even exceed, that of Rustock.

“The takedown of Rustock hasn't had much noticeable effect on the overall amount of spam tracked by MessageLabs Intelligence. So far in fact, traffic looks normal, it may be too early to tell if there will be much effect on total levels of spam. What I would expect is that the normal daily spike in activity is likely to be less today without Rustock to drive it, and for spam traffic to be more consistent throughout the day.

“Will this takedown or closure be permanent? At the moment, it's far too early to tell. Rustock has gone quiet before, over the last holiday season it stopped spamming for several days but came back as strong as ever. Only time will tell if this will happen again.”

Sign up to our newsletters