Rustock spam botnet taken down by Microsoft
May 26, 2011Court action by Microsoft saw the Rustock botnet taken offline in March, causing an almost immediate drop in global spam volumes. The Rustock action was unusual in that Microsoft made claims not only of spamming, but also of trademark infringement. Trademark infringement allows the wronged party to seize the property of the infringer, and it is this seized property—specifically, hard disks used in the botnet's command and control servers—that has enabled the company to determine who was responsible for the network.
In a status report given to the court, Microsoft described the results of its forensic examination of the disks. Templates for Viagra, Vicodin, and Valium spam, spam-generating software, and hundreds of thousands of e-mail addresses were all found. One system showed evidence of the use of a number of Russian Web sites, including Web mail provider mail.ru and free software portal freesoft.ru. Other seized disks showed signs that they had been used as nodes in the TOR anonymous proxying system.
More significantly, Microsoft found e-mail addresses that appear to have been used in the testing and setting up of the botnet—e-mail addresses that the company is now attempting to trace.
The seized disks are not the only thing that Redmond has been analyzing. Subpoenas have been served to the domain registrars used to register the domains used to control the network, and the e-mail providers used by the botnet's owners in correspondance with the registrars. Though most of the payments were found to use stolen credit cards, the company says that further e-mail addresses were identified, and it is following up these leads.
The company is also investigating the hosting arrangements of the command and control servers themselves. The report says that some of the hosting used for the servers was paid for by a specific Webmoney account. Webmoney is an online payment system widely used in Russia. According to Webmoney, the account in question belongs to Vladimir Alexandrovich Shergin, with an address in Khimki, a city near Moscow. The investigators are currently attempting to discover if this person is real, and if so, whether he has had his identity stolen or is genuinely involved in the botnet.
A person with the nickname Cosma2k has also been associated with the command and control servers; Microsoft has associated this nickname to a number of real names, and is following up on this lead too.
The status reports are a condition of the injunction and seizure authorization the courts initially gave the company. In addition to being filed with the court and published online, the company has also sent all the relevant status reports, summonses, and court orders to the various e-mail addresses identified during the coures of the investigation. The company notes, however, that "Since the entry of the preliminary injunction, to date, neither Microsoft nor Microsoft’s counsel have received any communication from any Defendant associated with the Rustock botnet."
Author: Peter Bright