In a widescale operation involving Microsoft, industry partners, academics and law enforcement agencies, the notorious Rustock botnet was shut down on Thursday.
Rustock was responsible for almost half of the world's spam, according to security firm Symantec. The botnet was believed to control a network of more than a million computers, enabling them to send out as many as 40 billion spam emails per day selling everything from software to discounted drugs like Viagra and Cialis, although many of the products were said to be counterfeit.
The takedown, dubbed Operation b107, severed the connection between the command-and-control (C&C) servers, which send out instructions from the Rustock operators to the global network of infected computers, Richard Boscovich, senior attorney, Microsoft Digital Crimes Unit, said in a blog post Thursday on a Microsoft site. Most people are unaware that their PC is infected and part of the botnet operation.
Rustock is malware spread by a trojan downloader that collects email addresses found on the computer on which it is installed and turns the computer it is installed on into an engine for sending spam email, T.J. Campana, senior program manager at Microsoft Digital Crimes Unit, told SCMagazineUS.com on Friday. "It also enables the Rustock controller (known as a bot herder) to command the computer for a variety of other online attacks beside spam at any time," he said.
This was the second takedown of a major botnet in a joint effort between the Microsoft Digital Crimes Unit (DCU), Microsoft Malware Protection Center and Trustworthy Computing – known as Project MARS (Microsoft Active Response for Security). A year ago, the team was responsible for shutting down the Waledec botnet.
"To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis," Boscovich wrote.
Servers were absconded from five hosting providers operating in seven cities in the United States, with assistance from the upstream providers. This operation severed the IP addresses that controlled the botnet, cutting off communication and disabling it, he said.
Getting Rustock offline followed a year-long investigation by DCU and its partners, culminating in a civil suit filed last February in federal court in Seattle. Microsoft is said to have prompted the actions because the spam operations flood the company's Hotmail email servers with activity that also affects customers' internet use. In the suit, unsealed on Thursday, Microsoft also claimed that Rustock was infringing on its trademarks as some advertisements tied the Redmond giant's name to the spam offerings.
In addition, Rustock spam used Microsoft's trademarks to lure people into lottery scams – also known as advance fee fraud – in which spammers attempt to convince people that they've won the lottery and need to send the spammers some amount of money to collect the larger lottery winnings, Microsoft's Campana said. "The takedown was done to address a threat to everyone's health and safety, including our customers."
In last year's shutdown of Waledac, Microsoft's legal action went only so far as getting a judge's permission to gain control of hundreds of domain names being used to transmit instructions to the botnet. Shutting down Rustock necessitated court orders to seize computers because, as Microsoft officials explained, the Rustock operation was more complex than Waledac: computers tied into the botnet received instructions from IP addresses connected to particular command-and-control machines.
The shutdown sets a major legal precedent, Alex Lanstein, senior engineer at network security provider FireEye, told SCMagazineUS.com on Friday. "For the first time ever, it allows a company showing harm to take action against a third party."
FireEye, which does malware analysis, was one of the companies Microsoft worked with in this operation. The company was able to fill in a number of gaps by providing Microsoft with data culled from FireEye customers to gain a hold on what the C&C picture looked like, Lanstein said.
Microsoft also worked with pharmaceutical company Pfizer – since discounted, but often fake drugs were a primary offering from the Rustock operation – and security experts at the University of Washington in the United States, as well as the Dutch High Tech Crime Unit within the Netherlands Police Agency to disassemble parts of the botnet's command structure outside of the United States. Additionally, Microsoft teamed with CN-CERT, a China-based community emergency response team, to block registration of domains in the nation that Rustock might have used for future C&C servers, Boscovich wrote.
However, this doesn't resolve every issue. Many PCs are still infected with malware that can affect their systems. The clean-up is ongoing, wrote Microsoft's Boscovich. The company is working with internet service providers and CERTs globally to help affected computer owners clean the Rustock malware off their computers.
As well, the criminals behind Rustock are only temporarily out of business, Gunter Ollmann, VP of research at security firm Damballa, wrote in a blog post Friday. "Sure, they lost some C&C servers and their existing botnet victims – but all the other components are still available to them to build and replace the botnet they lost."
Further, the malware these criminals use can still infect victim computers, and the vectors employed to install malware on those machines is still alive, he said, adding that the takedown is only a temporary setback for the operators.
Ollmann also takes issue with the legal proceedings, speculating that companies using the same internet server hosting facility, and unaffiliated with Rustock, may have had their data shared on the servers taken into evidence, and so, in effect, also been put out of business, at least temporarily.
But, Campana told SCMagazineUS.com on Friday, that any legitimate business co-located on those servers was preserved and moved to new IPs/servers as needed.
A precedent has been set. "Microsoft did a public service," FireEye's Lanstein said. "It will be a lot easier for everyone now that there's a legal precedent."