Microsoft Passes Rustock Botnet Baton to FBI
Microsoft on Thursday wrapped up its civil case against the still-unnamed controllers of the Rustock botnet and handed off the information gleaned during its investigation to the FBI.
Fri, September 23, 2011
Computerworld — Microsoft on Thursday wrapped up its civil case against the still-unnamed controllers of the Rustock botnet and handed off the information gleaned during its investigation to the FBI.
But the move doesn't end the company's six-month operation: Last week, a federal judge granted Microsoft and others the right to lock up tens of thousands of Internet protocol (IP) addresses for the next two years.
The IP addresses were ones that the Rustock controllers could use to issue commands to the malware that still exists on infected PCs.
Richard Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, was confident that authorities would find, arrest and prosecute those involved with Rustock.
"We went as far as we could on the civil side, [but] we were able to develop some very good leads that we think will lead to the identities of some of those responsible," said Boscovich in an interview yesterday. "We decided to give our findings to law enforcement, so they could use their expertise. It was a natural progression for the case."
Later during the interview, Boscovich said he "felt pretty good" about the chance that authorities will eventually make arrests.
In March, Microsoft lawyers and U.S. Marshals seized Rustock command-and-control (C&C) servers at five Web hosting providers in seven U.S. cities, crippling the botnet. At the time, Rustock was hiding on an estimated 1.6 million Windows PCs worldwide, and was being used to send massive quantities of spam -- up to 30 billion messages daily -- much of it pitches for fake pharmaceuticals.
The take-down and subsequent suppression efforts have prevented Rustock from reviving, according to Microsoft.
In a blog post Thursday, Boscovich said that as of September, Microsoft had identified about 422,000 Rustock-infected PCs, a 74% reduction since March. The September numbers were an improvement over June, when Microsoft said that more than 700,000 PCs harbored the Rustock malware.
The take-down didn't remove the Windows PCs from Rustock control. Instead, the server seizures and the blocking of domains Rustock was to use for fallback communications kept the botnet from updating itself.
That, in turn, gave antivirus vendors the time they needed to issue signatures for the existing Rustock malware, and for Internet service providers (ISPs) to notify users that their machines had been compromised.
But for all its work -- including offering a $250,000 reward for information that leads to an arrest -- Microsoft has not been able to conclusively identify those who controlled the botnet.
In an earlier filing with a Seattle federal court, Microsoft said it had traced payments for the hosting of some of Rustock's C&C servers to a specific Webmoney account, and after asking the Russian online payment service for help, identified the owner of that account as one Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.