Microsoft passes Rustock botnet baton to FBI

Take-down and command disruption reduces botnet by 74% since March

Microsoft on Thursday wrapped up its civil case against the still-unnamed controllers of the Rustock botnet and handed off the information gleaned during its investigation to the FBI.

But the move doesn't end the company's six-month operation: Last week, a federal judge granted Microsoft and others the right to lock up tens of thousands of Internet protocol (IP) addresses for the next two years.

The IP addresses were ones that the Rustock controllers could use to issue commands to the malware that still exists on infected PCs.

Richard Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, was confident that authorities would find, arrest and prosecute those involved with Rustock.

"We went as far as we could on the civil side, [but] we were able to develop some very good leads that we think will lead to the identities of some of those responsible," said Boscovich in an interview yesterday. "We decided to give our findings to law enforcement, so they could use their expertise. It was a natural progression for the case."

Later during the interview, Boscovich said he "felt pretty good" about the chance that authorities will eventually make arrests.

In March, Microsoft lawyers and U.S. Marshals seized Rustock command-and-control (C&C) servers at five Web hosting providers in seven U.S. cities, crippling the botnet. At the time, Rustock was hiding on an estimated 1.6 million Windows PCs worldwide, and was being used to send massive quantities of spam -- up to 30 billion messages daily -- much of it pitches for fake pharmaceuticals.

The take-down and subsequent suppression efforts have prevented Rustock from reviving, according to Microsoft.

In a blog post Thursday, Boscovich said that as of September, Microsoft had identified about 422,000 Rustock-infected PCs, a 74% reduction since March. The September numbers were an improvement over June, when Microsoft said that more than 700,000 PCs harbored the Rustock malware.

The take-down didn't remove the Windows PCs from Rustock control. Instead, the server seizures and the blocking of domains Rustock was to use for fallback communications kept the botnet from updating itself.

That, in turn, gave antivirus vendors the time they needed to issue signatures for the existing Rustock malware, and for Internet service providers (ISPs) to notify users that their machines had been compromised.

But for all its work -- including offering a $250,000 reward for information that leads to an arrest -- Microsoft has not been able to conclusively identify those who controlled the botnet.

In an earlier filing with a Seattle federal court, Microsoft said it had traced payments for the hosting of some of Rustock's C&C servers to a specific Webmoney account, and after asking the Russian online payment service for help, identified the owner of that account as one Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.

However, Microsoft had cautioned the court that Shergin might not be the actual purchaser of Rustock's C&C hosting services.

The $250,000 reward , which Microsoft posted in July, brought in scores of tips, including some high-quality leads, said Boscovich.

"Some of the information we received seemed to be coming from other individuals in the 'industry,'" said Boscovich, referring to the botnet cybercrime business. He said Microsoft was able to gauge the legitimacy of the incoming tips by using information it had already collected.

"We were getting some very good discovery," Boscovich said, talking about the civil case's investigative phase. "We wanted to supplement that by offering the reward."

Microsoft has not withdrawn the reward, but has asked that tips now be submitted to an FBI email address .

Some of what Microsoft learned during its Rustock digging revealed other cybercrimes, information that the company and others can use.

"It's like when you're walking down an alley looking for one crime, on the way you see several others," Boscovich said. "[The investigation] led to a lot of good leads, not just about Rustock, but about the industry itself."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingDRM and Legal IssuesMicrosoftsecurity

More about AppleFBIGoogleMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts