Rustock take-down proves botnets can be crippled, says Microsoft

More than half of the PCs once infected with spamming malware now clean

Microsoft Tuesday said the coordinated take-down of the Rustock botnet and follow-up efforts had purged the malware from over half of the PCs once controlled by Russian hackers.

"This shows that disruptive action [against botnets] is viable and possible," said Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit.

"Once you start taking apart the infrastructure of botnets, you drive up the cost of [botnet gangs] doing business," Boscovich added in an interview Monday. "Disruptive action is just as good as trying to arrest someone."

Since March, when Microsoft lawyers and U.S. Marshals seized Rustock command-and-control (C&C) servers at five Web hosting providers in seven U.S. cities, the number of Windows PCs infected with the malware has dropped worldwide from 1.6 million to just over 700,000 as of June 18, Boscovich reported in a blog post today.

Microsoft also released a detailed report on Rustock, the take-down effort it led, and the impact of its anti-botnet campaign ( download PDF ).

In the U.S., an estimated 86,000 Rustock-infected PCs in March had been reduced to some 53,000 by June, a drop of 38%. Other countries saw even bigger reductions: In India, the March tally of 322,000 infected machines plummeted by 69% to approximately 99,000 in June.

The take-down itself didn't remove the Windows PCs from Rustock control. Instead, the seizure of the U.S.-based C&C servers and Microsoft's work to snatch control of the domains that Rustock was coded to use for fallback communications, prevented the botnet from updating itself.

That in turn provided the breathing room antivirus vendors needed to issue signatures for the existing Rustock malware and users the opportunity to scrub their systems with security software.

Microsoft, for instance, has provided Rustock signatures for its Malicious Software Removal Tool (MSRT), a free utility that detects and deletes malware, since 2008.

The take-down of Rustock's communications channels effectively silenced the botnet.

Since March, the botnet -- which was once one of the largest purveyors of spam, particularly pitches for fake drugs -- has been quiet. "Botnet activity dropped abruptly to almost zero in mid-March following the take-down," Microsoft said in its report.

Prior to the take-down, Rustock was capable of sending as many as 30 million spam messages daily.

"Cleaning the users' PCs is an important part, but really this shows that a technical countermeasure along with a legal countermeasure works," said Boscovich, talking about the two-pronged approach of seizing servers and shutting down Rustock's backup communications.

And the impact goes beyond Rustock.

"The minute you take down Rustock, what does that do to those who want to send spam?" Boscovich asked. "They have to find other botnets. But if you're a botnet herder, and you just saw Rustock go down -- with years of work coding and planting malware and maintaining the botnet -- you're going to charge more. And that's an impact on spammers' cost analysis, as it becomes more and more expensive to send out spam."

Statistics from Symantec seemed to prove Microsoft was on to something.

In its June report on spam and malware trends, Symantec said that spam levels had not recovered from the Rustock take-down, and in June accounted for 72.9% of all email, down from 83.1% in March.

Alex Lanstein, a senior engineer with FireEye who worked with Microsoft on the Rustock take-down, said the numbers spoke for themselves. "The spam drop is a direct result of the take-down," Lanstein said Monday.

But Symantec also said there was evidence that another botnet, dubbed "Grum," had stepped in to partially replace Rustock. The security firm cited such factors as similar subject lines, sending domains, a change in character sets by Grum just hours after the Rustock take-down and similarities in the two botnets' distribution patterns ( download PDF ).

So are botnet take-downs just a game of "Whack-a-Mole," where bashing one botnet only sees it replaced by another?

"I think that's foolish to say," Boscovich said. "If you don't take action, what do you do, sit and watch it happen? This weeds out the smaller players, who decide that they can't afford the higher costs of sending spam. If everyone started doing more proactive work like [take-downs], we really would be able to take down a lot of players, and disrupt the entire spam ecosystem."

"It's not nitpicking, but there are always a lot of naysayers who play up the negative angle," added Lanstein. "The lasting impact comes from how much you follow through."

And in his eyes, Microsoft is committed to the battle long term. "[Microsoft] is bringing the fight to the bad guys," said Lanstein. "This is definitely not the last botnet we're going to go after."

Microsoft has not yet identified the presumed head of the Rustock botnet gang, but last week a federal judge granted its request to extend its effort to notify unnamed defendants in the lawsuit, a legal formality designed to give potential defendants an opportunity to respond to charges.

Microsoft believes the Rustock operator resides in either St. Petersburg or Moscow in the Russian Federation; last month it published legal notifications in those cities' newspapers.

Although Boscovich said it was unlikely the defendants would step forward, he sounded confident that, with the information on the seized servers and other investigations, someone would be held accountable for Rustock.

"We think we can do some more to identify the individuals to zone in on the actual defendants in this case," Boscovich said. "I believe there's a strong likelihood [that we'll identify someone], but it's not a guarantee."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about AppleFireEyeMicrosoftSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts