The infamous Rustock botnet, estimated by some parties to be responsible for between 30 and 50 percent of all the spam in the world—up to 30 BILLION items per day—has been taken down. This effort took 18 months and involved experts from Microsoft’s Digital Crimes Unit, FireEye Malware Intelligence Labs, Pfizer pharmaceuticals (whose products were counterfeited and hawked in trillions of spam e-mails), and computer scientists from the University of Washington.
Unlike most botnets that operate on cybercrime friendly servers in eastern Europe, and in former Soviet Bloc countries, Rustock operated almost entirely on servers hosted at small-scale ISPs in North America. All 26 servers that the counterstrike team identified were shut down last Wednesday, and basically turned this spam geyser completely off. Raids by US Marshals and forensics experts, armed with warrants, were conducted in data centers in Chicago, Columbus, Dallas, Denver, Kansas City, Scranton, and Seattle to seize its servers and effect the botnet’s takedown.
According to an excellent story from the Channel Register (“Rustock Takedown: How the world’s worst botnet was KO’d”) compromised machines used customized and stealthy encryption techniques to make the driving malware look like a compressed archive file in .rar format. Zombie machines communicated with command and control servers using text messages that looked like innocuous bulletin board entries or Web forum postings. Those command and control servers were bought and paid for on monthly service contracts with smaller-scale ISPs who remained unaware that their systems and networks were home to one of the world’s most nefarious botnets.
This approach allowed the Rustock botnet to elude scrutiny from security professionals, inclined to search first and foremost for botnets in other, shadier precincts on the Internet landscape. Ultimately, however, FireEye was able to determine the location of the command and control servers for the botnet using deep analysis and inspection of the botnet traffic. Compromised PCs sought to download Windows XP SP2, but would quit after the first 200KB of data was downloaded, presumably to confirm access to an active Internet link. Microsoft began logging these downloads to identify IP addresses for PCs infected with the Rustock malware, and thereby also compiled useful intelligence on the bot’s growth and behavior as well.
The ultimate “trick” to the takedown involved extensive planning, preparation, and legal maneuvers once the command and control hosts were identified. Researchers understood that a partial takedown wouldn’t work because botnet operators could simply move their software to other servers, then broadcast new instructions to their legions of zombies to obtain instructions from other server addresses. To obtain legal permission to perform a coordinated takedown of all servers as simultaneously as possible, however, Microsoft and Pfizer had to prove to the courts that these botnets were costing them money, as well as violating US federal anti-spam laws (particularly the CAN Spam Act). This permitted the US Marshals to obtain warrants to seize the equipment on which the command and control servers were running, even when it didn’t belong to the ISP providing Internet hosting services.
Given that the cybercrooks operating the Rustock botnet were spending $10,000 per month for hosting services for the servers taken down, experts speculate that they must have been raking in many times that amount in ill-gotten gains from their spamming efforts. Microsoft has also taken steps to prevent the Rustock botnet operators from re-gaining control over its zombies, including setting up their own command and control servers to keep the zombies from obtaining other marching orders, and registering backup domains that Rustock programmers built into the malware for future use. The botnet operators have not yet been identified, and still remain at large.
For more information from the Microsoft perspective see the March 17, 2011 Official Microsoft Blog post entitled “Taking Down Botnets: Microsoft and the Rustock Botnet.”
Stu Sjouwerman
Unlike most botnets that operate on cybercrime friendly servers in eastern Europe, and in former Soviet Bloc countries, Rustock operated almost entirely on servers hosted at small-scale ISPs in North America. All 26 servers that the counterstrike team identified were shut down last Wednesday, and basically turned this spam geyser completely off. Raids by US Marshals and forensics experts, armed with warrants, were conducted in data centers in Chicago, Columbus, Dallas, Denver, Kansas City, Scranton, and Seattle to seize its servers and effect the botnet’s takedown.
According to an excellent story from the Channel Register (“Rustock Takedown: How the world’s worst botnet was KO’d”) compromised machines used customized and stealthy encryption techniques to make the driving malware look like a compressed archive file in .rar format. Zombie machines communicated with command and control servers using text messages that looked like innocuous bulletin board entries or Web forum postings. Those command and control servers were bought and paid for on monthly service contracts with smaller-scale ISPs who remained unaware that their systems and networks were home to one of the world’s most nefarious botnets.
This approach allowed the Rustock botnet to elude scrutiny from security professionals, inclined to search first and foremost for botnets in other, shadier precincts on the Internet landscape. Ultimately, however, FireEye was able to determine the location of the command and control servers for the botnet using deep analysis and inspection of the botnet traffic. Compromised PCs sought to download Windows XP SP2, but would quit after the first 200KB of data was downloaded, presumably to confirm access to an active Internet link. Microsoft began logging these downloads to identify IP addresses for PCs infected with the Rustock malware, and thereby also compiled useful intelligence on the bot’s growth and behavior as well.
The ultimate “trick” to the takedown involved extensive planning, preparation, and legal maneuvers once the command and control hosts were identified. Researchers understood that a partial takedown wouldn’t work because botnet operators could simply move their software to other servers, then broadcast new instructions to their legions of zombies to obtain instructions from other server addresses. To obtain legal permission to perform a coordinated takedown of all servers as simultaneously as possible, however, Microsoft and Pfizer had to prove to the courts that these botnets were costing them money, as well as violating US federal anti-spam laws (particularly the CAN Spam Act). This permitted the US Marshals to obtain warrants to seize the equipment on which the command and control servers were running, even when it didn’t belong to the ISP providing Internet hosting services.
Given that the cybercrooks operating the Rustock botnet were spending $10,000 per month for hosting services for the servers taken down, experts speculate that they must have been raking in many times that amount in ill-gotten gains from their spamming efforts. Microsoft has also taken steps to prevent the Rustock botnet operators from re-gaining control over its zombies, including setting up their own command and control servers to keep the zombies from obtaining other marching orders, and registering backup domains that Rustock programmers built into the malware for future use. The botnet operators have not yet been identified, and still remain at large.
For more information from the Microsoft perspective see the March 17, 2011 Official Microsoft Blog post entitled “Taking Down Botnets: Microsoft and the Rustock Botnet.”
Stu Sjouwerman
