Microsoft Beheads Rustock

Microsoft and federal law enforcement agents have taken down the Rustock botnet, which had about a million infected computers under its control. The botnet was officially considered offline on Wednesday, according to Microsoft.

A botnet consists of an infrastructure of computers that have been hacked to send out large amounts of spam. The takedown of Rustock was known as “operation b107.” It is the second large-scale takedown of a botnet for the joint effort of Microsoft Digital Crimes Unit (DCU), Microsoft Active Response for Security (Project Mars) and law enforcement.

The operation blended technical and legal tactics to disrupt the command and control of the botnet and malware-infected computers. Microsoft filed suit against the anonymous Rustock botnet operators, basing its complaint partially on infringement of Microsoft trademarks used in the spam.

A months-long investigation by DCU and partners resulted in successful pleas before U.S. District Court, and a U.S. marshal accompanied seizure of hosting servers in seven U.S. locations. Microsoft has taken possession of those servers for analysis. Microsoft severed the IP addresses of the servers controlling Rustock, essentially shutting the botnet down, the company said.

Rustock was used for major spamming and cybercrimes. In only one day, a single Rustock controlled computer could send out 240,000 spam mails — or 7,500 in 45 minutes, according to Microsoft. In addition to spam, Rustock sent out denial-of-service attacks and conducted click fraud.

Microsoft has enlisted the help of Pfizer, because a lot of the spam included fake prescription drug offers using the pharmaceutical company’s name. Microsoft has also shut down domains in China that Rustock could have gained control over.

Microsoft did not respond to the E-Commerce Times’ request for comments by press time.

Fall of a Top Spammer

Microsoft’s efforts benefit Internet users, since malware is both damaging and annoying.

“This is a huge win in the fight against spam, given that the Rustock has been the source of close to half of all spam in 2010,” Azita Arvani, principal of the Arvani Group, told the E-Commerce Times. “The Microsoft teams and all the other groups involved in ‘decapitation’ of the Rustock botnet should be congratulated. It must have taken a lot of effort and diligent detective work to put the pieces together.”

Users should quickly see a reduction in spam.

“Most importantly, the teamwork among the various groups that participated in this effort has been amazing,” said Arvani. “According to Symantec, there has been a noticeable drop in mail volume since Rustock was forced offline.”

This battle is won but the war on hackers and spam is everlasting.

“There are and will be more botnets creeping up,” said Arvani. “What this effort proved is that if there is a strong will, people across many different public and private organizations can come together to fight against complex computer crimes and win.”

Botnet hunters are learning more advanced battle tactics, but so are the bot herders.

“Just like the Waledac botnet experience helped Microsoft and company in dealing with Rustock, the accumulated experience in fighting spam and malware crime will help with dealing with future botnets,” said Arvani. “It should also help with putting in place policies that would make it easier to identify ‘John Doe’ bot herders behind the scene.”

Making It Harder to Operate

Botnets are so vast and complex that an offensive on multiple fronts has become necessary.

“It’s an interesting strategy,” Charles King, principal analyst at Pund-IT, told the E-Commerce Times. “Rather than attempting a purely technological fix — which would be difficult or impossible in so complex and widely distributed an operation — Microsoft and its allies applied a combination of technical know-how, sophisticated investigation and analysis, and legal muscle to take down Rustock. I expect we’ll see them pursue similar efforts in the future.”

There is a low probability of Rustock coming back from the dead.

“The ‘estimated to have approximately a million infected computers’ statement is testimony to the slipperiness of our understanding about essentially opaque botnets,” said King. “However, I think it is likely that Rustock’s operations in the U.S. are likely at an end unless its operators want to risk serious jail time.”

Victory over a spammer of this magnitude needs the tough arm of the law.

“For an exercise like Microsoft’s to work requires the active, willing participation of law enforcement and the legal community,” said King. “That makes it effective in North America, western Europe and some Asian countries. But it’s less likely to be workable in countries or regions whose governments are turning a blind eye to online crime or, in some cases, appear to be actively supporting such operations.”

Thanks to Microsoft, Internet users have won this round.

“Microsoft can help prevent development of further malicious botnets by proactively pursuing botnet owners, taking down their operations and ensuring that they are prosecuted to the full extent of the law,” said King. “That may simply mean that botnet operators will shift to friendlier places, but at least Microsoft can help make it harder, riskier and more expensive for them to operate in the U.S. and related locales.”