Rustock Civil Case Closed: Microsoft Refers Criminal Evidence to FBI

Six months after I first wrote about how the Microsoft Digital Crimes Unit, Microsoft Malware Protection Center, Trustworthy Computing and our partners shut down the Rustock botnet, I am pleased to report that we have successfully concluded our civil case against the Rustock botnet operators. We’re now referring the matter, and the discovery gathered during our civil case, to the FBI for criminal review.

As you may have read in this morning’s edition of CNET, on Sept. 13th, Judge James L. Robart, of the U.S. District Court for the Western District of Washington ruled that the domain names and Internet protocol addresses used to host the botnet would be effectively removed from the defendants’ control. This case not only enabled the take down of a botnet known to be one of the single largest sources of spam on the Internet, but it is now helping to ensure that this botnet will never be used for cybercrime again. However, we’re not stopping here.

We are also turning over all of the evidence we collected during discovery and our investigation to the FBI, to help ensure those responsible for operating the Rustock botnet are held accountable for their actions. It is important to note that Microsoft ‘s $250,000 reward offer for information that leads to the arrest and conviction of Rustock’s operators remains in effect, but now any tips should be sent directly to the FBI at [email protected].

We are also continuing to work with Internet service providers (ISPs) and Community Emergency Response Teams (CERTS) around the world to undo the damage Rustock has caused, and help people regain control of their computers. We already see great progress, with our estimates showing that as of Sept. 13th, the Rustock botnet has decreased in size by almost 75 percent since we took it down in March.

We also have positive new numbers to share in regards to Rustock infection rates per country, since we released our special edition Security Intelligence Report (SIR) on Rustock in June.

Worldwide Rustock reduction rate (by observed known IP address infections):

Observed
Mar 20-26, 2011

Observed
Sept 11-17, 2011

Reduction
Mar – Sept 2011

1,601,619

421,827

73.66%

Top 10 infected countries at start of Rustock takedown:

Country

Observed Mar 20-26, 2011

Reduction
Mar – Sept 2011

India

322,566

85.47%

Russia

93,703

82.76%

Turkey

89,122

68.43%

USA

86,375

58.01%

Italy

53,656

62.31%

Brazil

46,978

72.32%

Ukraine

45,828

83.84%

Germany

43,946

66.43%

Malaysia

42,541

83.60%

Mexico

39,648

72.54%

Top 10 infected countries as of today:

Country

Observed
Sept 11-17, 2011

Reduction
Mar – Sept 2011

India

46,865

85.47%

USA

36,269

58.01%

Turkey

28,135

68.43%

Italy

20,225

62.31%

Russia

16,150

82.76%

France

15,037

51.66%

Germany

14,753

66.43%

Brazil

13,005

72.32%

United Kingdom

11,521

49.98%

Poland

11,493

64.78%

Although there have been significant strides in cleaning up computers infected with Rustock malware, this is a long-term effort. We continue to provide free tools and information to clean your computer at support.microsoft.com/botnets.

Lastly, we take what we learn from the cases we have filed under the Project MARS program and leverage it to build a stronger and more robust intelligence database. We are releasing new videos today that give a precise moment-to-moment view of what the footprint of the Rustock and Waledac botnets looked like worldwide as of yesterday as infected computers continue to attempt to check into them. Intelligence like this has already helped in the cleanup effort with ISPs and CERTs around the world and we are looking at other ways of applying this in our quest to disrupt the infrastructure used by cyber criminals. Stay tuned for more information on this – and our ongoing fight against cybercrime – in the coming weeks.

Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or simply to be disruptive. However, the good guys are making progress and this latest legal victory is yet another blow to the botherders’ business. This takedown not only caused spam levels to drop, but more importantly, hit these criminals where it counts – in the pocketbook.

By taking out Rustock’s infrastructure, we disrupted the botherders’ enterprise, and it is disruptive action like this that will have a positive impact in the fight against botnets. The FBI and the Department of Justice used a similar approach to take down the Coreflood botnet in April, and we hope others will join us in using this strategy, because only collaboration will win out in the long run.

Posted by Richard Domingues Boscovich
Senior Attorney, Microsoft Digital Crimes Unit

Tags: ,