Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Microsoft took down Rustock - My own company is going to put me out of a job!

Microsoft took down Rustock - My own company is going to put me out of a job!

  • Comments 1

It’s all over the Internet today but as it turns out, the ones who were largely responsible for taking down the Rustock botnet was none other than my employer, Microsoft!  I had my suspicions that it was them but since I was not involved in the investigation or take down efforts, I couldn’t say one way or the other.  Anyhow, there are a ton of links out there detailing Microsoft’s involvement.  Here are just a few:

Microsoft’s Digital Crime Unit blog:

Just over a year ago, we announced that the Microsoft Digital Crimes Unit (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as “Operation b49”. Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.

This operation, known as Operation b107, is the second high-profile takedown in Microsoft’s joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security) – to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers. Like the Waledac takedown, this action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet. As you may have read, the Rustock botnet was officially taken offline yesterday, after a months-long investigation by DCU and our partners, successful pleading before the U.S. District Court for the Western District of Washington and a coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.

However, no single company or group can accomplish this lofty goal alone. It requires collaboration between industry, academic researchers, law enforcement agencies and governments worldwide. In this case, Microsoft worked with Pfizer, the network security provider FireEye and security experts at the University of Washington. All three provided declarations to the court on the dangers posed by the Rustock botnet and its impact on the Internet community. Microsoft also worked with the Dutch High Tech Crime Unit within the Netherlands Police Agency to help dismantle part of the command structure for the botnet operating outside of the United States. Additionally, Microsoft worked with CN-CERT in blocking the registration of domains in China that Rustock could have used for future command and control servers.

From the Wall Street Journal:

In recent years, Microsoft has stepped up legal actions against a variety of Internet nuisances like spam that it believes inflict harm on its product and reputation. Spam taxes the servers of its Hotmail email service, and impacts the Internet experience of users of Microsoft software like Windows and Office. The malicious code used to form spam botnets often exploits security vulnerabilities in products like Windows.

That lawsuit was unsealed late Thursday by a federal judge, at Microsoft's request, after company executives said they dealt a seemingly lethal blow to the botnet in their raids on Wednesday.

As part of that dragnet, U.S. marshals accompanied employees of Microsoft's digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be "command-and-control" machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines world-wide.

M86 Security reported this yesterday:

Today, Rustock spam completely stopped (16 March, 3pm GMT). We can also confirm that the Rustock control servers that we know about are not responding. It is unclear yet who or what caused the shutdown. Its also possible it has been abandoned. Over the past three years, Rustock has been responsible for a huge amount of spam, at times representing half of all spam caught in our spam traps. But since September last year, when Spamit.com was shut down, its output diminished significantly, and its spam templates hardly changed.

Whatever the reason, lets hope this one sticks. Previous attempts at botnet shutdowns have tended to be short lived as the botnet herders simply regroup and start again. Its too early to say bye bye Rustock, but the thought is certainly nice.

So yes, it was Microsoft who shut down the Rustock botnet by working in close collaboration with a number other partners and helping to co-ordinate a legal takedown coupled with physical removal of affected hardware.

Everyone in the security industry notes that there is still more work to be done, but let’s be honest here – taking down the Rustock botnet is the biggest Antispam story this year and should be celebrated as a major landmark success, even if it is temporary.  Congratulations to the folks at Microsoft and others who assisted!

Leave a Comment
  • Please add 8 and 7 and type the answer here:
  • Post
  • This may be a dumb question, but since MSFT has effectively taken complete control over the botnet and hence they would have the IP addresses of infected computers ... does MSFT have any plans to contact the owners of the infected computers?  Perhaps tell them they were part of a botnet due to lax security on their part?  Or have the owners' ISP's do the contacting?

    Or would MSFT simply sit on this information and see if the people behind Rustock want to re-start a variant of their botnet?

Page 1 of 1 (1 items)