Microsoft's digital crimes unit says it has busted their biggest criminal to date; a spam botnet by the name of Rustock.
In a blog post posted this week, Microsoft said its digital crime unit took down the botnet, which sends billions of spam emails every day through a network of 150,000 computers running Microsoft Windows. Symantec reported Rustock was responsible for 47 percent of the world's spam at its peak in December of last year. Microsoft said the Rustock takedown was a joint effort with federal law enforcement agents.
The takedown is the second one from the Microsoft digital crimes unit team. A year ago, they took down a much less threatening bot called Waledac.
Microsoft said it filed suit against the anonymous operators of the Rustock botnet which enabled the company to take it down. The suit was one thing, and was filed for the bot's abuse of Microsoft's trademarks, but the Seattle-based tech giant said this effort required a little more legwork.
To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis, Richard Boscovich, senior attorney at Microsoft Digital Crimes Unit, said on the blog.
With this court order in hand, Microsoft was able to seize servers from five hosting providers operating in seven cities across the U.S. It then severed the IP addresses controlling Rustock, essentially making it useless.
The Rustock takedown, known within Microsoft as Operation b107, was Microsoft taking out the source of the problem. Botnets like Rustock are the weapon of choice for hackers to not only spam people, but for cyber crime, to send denial of service attacks and conduct click fraud in online advertising. In one day, a single Rustock computer could send 240,000 spam mails, or 7,500 in 45 minutes.
Microsoft was able to get a few partners, including pharmaceutical giant Pfizer, on its side in the battle against Rustock. Because much of the spam sent out by Rustock was fake pharmaceutical spam emails using Pfizer's name, the company was affected by its presence. Microsoft also worked with network security provider FireEye and security experts at the University of Washington on the case.
All three provided declarations to the court on the dangers posed by the Rustock botnet and its impact on the Internet community, Boscovich said. Microsoft also worked with the Dutch High Tech Crime Unit within the Netherlands Police Agency to help dismantle part of the command structure for the botnet operating outside of the United States. Additionally, Microsoft worked with CN-CERT in blocking the registration of domains in China that Rustock could have used for future command and control servers.
With Rustock out of the picture, Microsoft said it is now working with Internet service providers and Community Emergency Response Teams to clean up the damage the botnet made.
Security company Symantec said it's too early to tell the impact of Microsoft's takedown. In a blog post yesterday, it said spam would be less likely to spike on a day-by-day basis without Rustock. However, the botnet has gone quiet before, only to return strong as ever.