Microsoft Takes Down Rustock Spam Network
Microsoft and federal authorities across the United States have successfully taken down a botnet known as Rustock, which is estimated to have approximately a million infected computers operating under its control and sends spam emails.
Microsoft said that the spam emails included fake Microsoft lottery scams and offers for fake prescription drugs.
This operation, known as Operation b107, is the second high-profile takedown in Microsoft?s joint effort between Microsoft Digital Crimes Unit (DCU), Microsoft Malware Protection Center and Trustworthy Computing - known as Project MARS (Microsoft Active Response for Security) - to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers. This action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet, Microsoft added.
The Rustock botnet was officially taken offline on Thursday, after a months-long investigation by DCU and Microsoft's partners, successful pleading before the U.S. District Court for the Western District of Washington and a seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.
Microsoft filed suit against the anonymous operators of the Rustock botnet, based in part on the abuse of Microsoft trademarks in the bot's spam. However, Rustock's infrastructure was too complicated, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet, Microsoft said.
To be confident that the bot could not be quickly shifted to new infrastructure, Microsoft sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis. Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus.
Botnets are known to be the tool of choice for cybercriminals to conduct a variety of online attacks, using the power of thousands of malware-infected computers around the world to send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising and much more. This particular botnet is no exception.
Although its behavior has fluctuated over time, Rustock has been reported to be among the world's largest spambots, at times capable of sending 30 billion spam e-mails per day. DCU researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes - a rate of 240,000 spam mails per day.
This operation, known as Operation b107, is the second high-profile takedown in Microsoft?s joint effort between Microsoft Digital Crimes Unit (DCU), Microsoft Malware Protection Center and Trustworthy Computing - known as Project MARS (Microsoft Active Response for Security) - to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers. This action relied on legal and technical measures to sever the connection between the command and control structure of the botnet and the malware-infected computers operating under its control to stop the ongoing harm caused by the Rustock botnet, Microsoft added.
The Rustock botnet was officially taken offline on Thursday, after a months-long investigation by DCU and Microsoft's partners, successful pleading before the U.S. District Court for the Western District of Washington and a seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service.
Microsoft filed suit against the anonymous operators of the Rustock botnet, based in part on the abuse of Microsoft trademarks in the bot's spam. However, Rustock's infrastructure was too complicated, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet, Microsoft said.
To be confident that the bot could not be quickly shifted to new infrastructure, Microsoft sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis. Specifically, servers were seized from five hosting providers operating in seven cities in the U.S., including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, Columbus.
Botnets are known to be the tool of choice for cybercriminals to conduct a variety of online attacks, using the power of thousands of malware-infected computers around the world to send spam, conduct denial-of-service attacks on websites, spread malware, facilitate click fraud in online advertising and much more. This particular botnet is no exception.
Although its behavior has fluctuated over time, Rustock has been reported to be among the world's largest spambots, at times capable of sending 30 billion spam e-mails per day. DCU researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes - a rate of 240,000 spam mails per day.
