Taking down Rustock

Opinion by Dan Raywood

There have been some notable botnet takedowns in recent times, including BredoLab and Mariposa.

There have been some notable botnet takedowns in recent times, including BredoLab and Mariposa.

Most recently, the Rustock botnet was taken down by a group of companies led by Microsoft's digital crime unit. I spoke with Alex Lanstein, senior security engineer at FireEye, who was involved with the takedown. He explained that the project to bring Rustock down began 18 months ago ‘when there was initiatives to do something good on the internet'.

Lanstein said: “We went after a major threat and the decline in spam shows how good the takedown was. Microsoft was involved in this, but it needed industry collaboration to take down such a threat.”

I asked him about how this compared to the takedown of Mariposa a year ago. Lanstein said that the difference in the botnets was significant, as Mariposa was more kit-based and was sold to many users, while Rustock was developed and used by one party, so one person was responsible for its output and activity.

Lanstein said that in order to take down a botnet, you need to hit each command and control (C&C) server that is being used by every variant of the malware. “We spent over a year identifying each one so 100 per cent of the botnet was taken down,” he said.

“You have to watch every server and variant and know what the malware looks like. It can seem easy to look over the C&C, but if there is a backup access to the botnet can be recovered. We had to hit six or seven data centres within minutes as otherwise, if they knew what we were doing, they may have been able to wipe files.”

Speaking to Symantec.cloud, it confirmed that there had been no activity with Rustock since the takedown. To date there has been no arrests made in connection with Rustock, however there was some speculation on the identity of the person behind the botnet. Lanstein said that logs that he had seen suggested that the owner would keep a low profile should the botnet be taken down.

I asked Lanstein if he felt that copycat botnets would appear following the capability of one person setting up Rustock. He said: “I don't think so, as spam has been harder to get through due to anti-spam and spammers being reliant on rogue credit card processors, fake anti-viruses and pharmaceuticals. The whole spam model will not go away as there is money to be made from spam.

“You could say that the spam problem is over because the threat now is about specific attacks with customised malware. We are seeing increased attacks over the last six months, and state-sponsored attacks that have no economic impact at all.”

Botnet takedowns are a very remarkable part of our business that require collaboration between professionals and individuals, a lot of hard work and expert timing. With other botnets still live and likely to be constantly sending out spam, there's no time to sit back and admire the work.  


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events