After 24 hours of leaving everyone guessing, Microsoft late Thursday (March 17) took credit for the sudden takedown the day before of Rustock, the world’s biggest source of e-mailed spam.
“Just over a year ago, we announced that the Microsoft Digital Crimes Unit (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as ‘Operation b49,’” wrote Richard Boscovich of the Microsoft Digital Crimes Unit in a blog posting late Thursday. “Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock.”
As SecurityNewsDaily wrote yesterday, botnets are hidden networks of computers that have been enslaved by malware, which burrows deep into their operating systems and opens “backdoors” that allow control by remote operators, or “bot herders,” via command-and-control servers.
The bots, ordinary machines scattered across the globe whose users have no idea they are infected, are mostly used to send out spam.
Rustock specialized in touting unlicensed online pharmacies and male performance-enhancing pills — if you've gotten Viagra-related spam, you've probably been hit by Rustock.
For several months, Microsoft and its allies, among them the security firm FireEye, the pharmaceutical maker Pfizer (source of the real Viagra) and the University of Washington, silently watched Rustock in operation. They determined that most of the botnet’s command-and-control servers, used to handle the hundreds of thousands of PCs enslaved by the “bot herders,” were based in the United States.
That fact gave Microsoft a legal basis on which to act, and it filed a civil complaint against the operators of Rustock, identified only as John Does 1 through 11, last month in federal court in Seattle.
Its grounds were that the Rustock operators had not only violated the CAN-SPAM act (which establishes consumer protections in relation to marketing and spam e-mails), but had also violated various Microsoft trademarks and copyrights, which gave it the right to seize the servers should the judge rule in Microsoft’s favor.
As none of the botnet operators would come forward to defend themselves, the case proceeded. On Wednesday, U.S. marshals armed with a court order shut down and seized servers in seven metropolitan areas, among them Kansas City, Seattle, Chicago, Denver, Dallas, Scranton, Pa. and Columbus, Ohio.
Dutch police simultaneously seized servers in the Netherlands, Rustock was effectively decapitated and worldwide spam level plummeted.
However, that doesn’t mean the story’s over. Rustock-infected machines — Microsoft estimates that there are about a million of them — are at this moment frantically searching for new masters, and anyone who has the right software and algorithm to generate the appropriately coded URLs can probably take control of them.
The Waledac botnet that Microsoft took down last year is alive again, if less powerful. That’s why it’s important that all PC users install and run antivirus software – much of it is free – and take common-sense measures when opening e-mail attachments.
Boscovich used a good analogy to explain how PC owners should be aware of the botnet threat.
“It’s like a gang setting up a drug den in someone’s home while they’re on vacation and coming back to do so every time the owner leaves the house, without the owner ever knowing anything is happening,” Boscovich wrote in yesterday’s blog posting.
“Home owners can better protect themselves with good locks on their doors and security systems for their homes,” he added. “Similarly, computer owners can be better protected from malware if they run up-to-date software — including up-to-date antivirus and anti-malware software — on their computers.”