With Rustock, a new twist on fighting Internet crime

Microsoft leads an effort to take down the world's worst spamming botnet

For more than 24 hours this week, it was a question that very few security experts could answer: Who had knocked the world's worst spam botnet offline?

After infecting close to a million computers and spamming out as many as 30 billion unwanted email messages a day, the Rustock botnet went silent around 11 a.m. Eastern Time on Wednesday.

Now we know the reason why: a small group of computer researchers, backed by Microsoft's lawyers, U.S. Marshals and international law enforcement officers executed a number of surgical strikes on the botnet. Hitting it as if it were the mythical Hydra, they cut off Rustock's heads -- its command-and-control servers -- and scorched them to keep them from growing back. And now Microsoft is helping to clean up infected computers before Rustock's owners have a chance to regain control of their botnet.

With seizure warrants in their hands, and U.S. Marshals backing them up, Microsoft's lawyers descended on five hosting providers in U.S. cities such as Kansas City, Scranton, Denver, Dallas, and Chicago on Wednesday and "successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it," Microsoft said in a blog posting.

Rustock is one nasty piece of software. It gives the criminals control over an infected machine to send spam, attack another computer, or spy on the victim. It's installed by tricking a victim into visiting a malicious Web site or opening a specially coded email attachment -- and it is very difficult to detect and remove.

The botnet is notorious for sending out pharmaceutical spam, and its demise should put a further dent in global spam volumes, which have been down since two other major spamming botnets, Pushdo and Bredolab, were taken offline late last year.

With the Rustock takedown -- the first of several that are now in the works -- the Internet community has polished a technique for getting rid of complex global networks of malicious computers, said Barry Greene, president of the Internet Software Consortium, makers of the BIND Domain Name System (DNS) software. It all started months ago, as a large group of Internet researchers observed Rustock and developed techniques to destroy it. Then a much smaller trusted group was deputized and given the job of managing the takedown with law enforcement.

In this case the action was led by Microsoft, with help from security vendor FireEye, the University of Washington, drug maker Pfizer, and the Dutch police. Instead of using the criminal justice system, Microsoft filed civil suits against Rustock's anonymous operators and got court orders allowing them to seize the servers used to control the botnet, and the Dutch police helped take down servers outside of the U.S.

Microsoft worked with the civil courts and researchers a year ago to take down another botnet, Waledac, but Rustock was much more complex, involving not only the seizure of many servers, but also some tricky work at the DNS level.

Because infected Rustock machines have a Plan B to connect to their controllers on specific Internet domains when the regular command and control servers are taken offline, Microsoft also had to work with Chinese authorities to prevent Rustock's operators from setting up new domains.

Rustock uses an ingenious algorithm to generate the names of Web sites that it tries to connect with for new instructions whenever its regular command-and-control servers are offline. Infected computers will go to predetermined daily news sites -- Slashdot for example -- and generate a special "seed" number based on what they find on the page. That seed number is then encrypted, giving the bad guys the name of the domain that Rustock will try to connect to. This makes it impossible to guess the domain names in advance. Microsoft seems to be blocking those new domains from registering for the time being, but one slip up, and Rustock's creators will be back in charge.

Rustock is "being suppressed; it's not really being taken down," said Joe Stewart, a researcher with Dell's SecureWorks unit. "If they stop monitoring those domains it could be back up within a few hours."

And that's a real concern, because Rustock's creator -- a hacker known only by his online handle, PE386 -- is still at large. That means he and his associates will probably return, said Thorsten Holz, an assistant professor at Ruhr-University Bochum. "As long as the attackers are running freely around, it's just some kind of Whack-a-Mole," he said. "I hope that in this case some arrests will follow."

Researchers have spent months painstakingly investigating the botnet, and while they may think they know how it works, a full-scale takedown is a trip into uncharted waters. "We're all saying where's the recovery?" Greene said. "Are they going to try and regain control over it? It's like atom-smashing. You do this very primitive thing: you smash the atom. And then you watch for after effects."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags PfizerInternet Software ConsortiumMicrosoftsecuritylegalFireEyeRuhr-University Bochuminternetcybercrimesecureworks

More about DellDell ComputerFireEyeIDGInternet Software ConsortiumMicrosoftPfizer AustraliaPlan BSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place