Hot on the Trail of the Rustock Botnet

In March, we announced that Microsoft had, with the help of industry partners and law enforcement, taken down the notorious spamming botnet, Rustock.

Since that time, I’m happy to report that the botnet has stayed dead. Our technical countermeasures have worked effectively to prevent the bot’s self-defense mechanisms from reanimating it. Moreover, in the months since the takedown, we’ve seen the number of infected IP addresses (a loose proxy for the number of infected computers) decline as more and more people update their software or get malware removed from their PCs.

However, keeping the botnet dead and decaying is just one part of our larger objective. To effectively reduce the global volume of cybercrime, we need to successfully deter the criminals who seek to profit from botnets. To prevent future botherders from hijacking computers to spread malware and come-ons for counterfeit pharmaceuticals, we need to hold today’s botherders accountable. As such, the Microsoft Digital Crimes Unit continues to follow this case wherever it leads us. Based on evidence gathered in the case (which can be found at, we have reason to believe that the people behind the Rustock botnet either have operated or are operating out of Russia. Consequently, we have placed advertisements in two mainstream Russian newspapers, the Delovoy Petersburg in St. Petersburg and Moscow’s daily paper, The Moscow News. Below is an image of the ad as it appeared in The Moscow News:

By placing these quarter-page ads, which will run for 30 days, we honor our legal obligation to make a good faith effort to contact the owners of the IP address and domain names that were shut down when Rustock was taken offline. The ads notify them of the takedown as well as the date, time and location of hearings where they will have an opportunity to make their case. In addition to the ads, we created the website specifically dedicated to this case, and have sent notice of the complaint and court orders to the postal and e-mail addresses provided by the defendants when they signed up for IP addresses and domains used to control the botnet.

Although history suggests that the people associated with the IP addresses and domain names connected with the Rustock botnet are unlikely to come forward in response to a court summons, we hope the defendants in this case will present themselves. If they do not, however, we will continue to pursue this case, including possibly within the Russian judicial system, if necessary. We remain firmly committed to taking action against not just the perpetrators of this botnet, but to disrupt digital crime globally to make the Internet safer for everyone.

Don’t let criminals use your computer to do their dirty work. If you believe your computer may be infected by Rustock or other types of malware, we encourage you to visit for free information and resources to clean your computer. To follow the Microsoft Digital Crimes Unit for news and information on proactive work to combat botnets and other digital threats, visit or

Posted by Richard Boscovich
Senior Attorney, Microsoft Digital Crimes Unit

Tags: , ,