Initial Revelations and Results of the Rustock Takedown

Almost three weeks ago, I blogged about the Microsoft Digital Crimes Unit’s takedown of the Rustock botnet in an action dubbed “Operation b107.”

The takedown has thus far proven to be very successful and, since that time, we’ve worked every day to keep Rustock down, and begin the process of undoing the damage that it has caused. Yesterday afternoon, we returned to the court for a hearing where those accused of operating the Rustock botnet could answer to the allegations, and dispute the need for the temporary restraining order.

As we expected, they did not appear. Consequently, we went forward and asked the court for preliminary injunctive relief to help ensure the Rustock botnet remains inoperable as the legal case proceeds. Below, I provide an update on Rustock, but first it’s worth explaining the status of the court case.

Yesterday’s court hearing before the U.S. District Court for the Western District of Washington was a result of our February 9th filing in which we secured an ex parte temporary restraining order (TRO) to take down the Rustock botnet. The ex parte TRO is a well-established legal process that balances the rights of the party being harmed with the need to provide the defendants an opportunity to have their case heard.

In the Rustock case, as well as the Waledac case, we argued – and the court agreed – that if the domain owners or IP registrants had advance warning of our intention to disconnect the botnets’ command and control infrastructure from the Internet, they would easily and anonymously move to different domains or IP addresses, bringing us back to square one. As a result, the court awarded Microsoft the ex parte TRO, which allowed us to take down the botnet without giving the defendants any notice.

However, as required by law, Microsoft followed the execution of the order with good-faith efforts to contact the defendants, notifying them of the severance and the scheduled hearing in which they could defend their ownership interests. To try and reach these unknown person or persons, we created a website dedicated to this case, and sent notice of the complaint and TRO to the postal and e-mail addresses provided by the registrants and to the registrars to be forwarded to registrants.

As expected, given the nature of the case, the defendants did not appear in court yesterday, meaning that the case will go on. We will now move the court to allow us due discovery of the evidence gathered from the seizures, including dozens of server hard drives, to learn what we can about the identity of those behind Rustock, in an effort to fulfill our notice obligations, as well as to learn about the extent of damage caused by the  botnet’s operations. 

As for the Rustock botnet, we’re pleased that, for now, the bot remains flatlined, and both the botnet’s communications and spam volumes overall appear to have been suppressed. It’s important to note, however, that cybercriminals and spammers are determined and resourceful, and may move operations elsewhere. No single action will completely wipe out the distribution of malware or spam. Rather, the lesson of this operation is that through concerted, collaborative and aggressive efforts, the security community can help diminish the impact of cybercrime, and make it harder for criminals to operate successfully.

Meanwhile, the lasting impact of Operation b107 is that we now have the opportunity to help clean the  more than one million computers infected with Rustock malware as well as what we describe in our complaint as a “devil’s brew” of other malware that is often downloaded along with the Rustock malware. In the first seven days (e.g., 3/16/2011 16:00 – 3/23/2011 16:00 GMT) after the takedown, we saw roughly 1.7 million unique IP addresses from malware-infected computers attempt to check in for commands from the Rustock botnet. Although we know each IP address does not necessarily equate to a unique infected computer, thanks to the takedown process, we continue to learn more about the footprint and operations of this notorious botnet.

Unfortunately, as long as a computer is infected with Rustock malware, it remains at risk for being under the control of a botherder – whether that’s via other botnet malware on the computer or the potential that the Rustock botherders regain control of the botnet for whatever reason. Microsoft is working with our partners on an ongoing basis to keep the botnet down, as we have successfully done with Waledac to date. However, until infected computers are cleaned of malware, they remain at significant risk. That’s why Microsoft is currently working with ISPs, CERTs and others around the world to contact the owners of known Rustock-infected machines individually with guidance on how to scan for and remove Rustock and other malware from their computers.

Additionally, as mentioned previously, Microsoft has created a dedicated website to provide free information and tools to help people get rid of malware like Rustock and regain control of their computers. We encourage all computer users to exercise safe practices to protect their computers from becoming infected with malware, such as running up-to-date software (for Windows users, this means also ensuring Windows Update is turned on to automatically update your Windows software), firewall protection and anti-virus and anti-malware protection.

You should also exercise caution when surfing the Web, clicking on ads or opening e-mail attachments that may prove to be malicious. More information about staying safe online can be found at http://www.microsoft.com/protect and http://www.microsoft.com/presspass/presskits/dcu/videogallery.aspx?contentID=botnet_spam.  

This case and this operation are ongoing, and we will continue to share updates with new information as we move forward.

Tags: ,