Microsoft, Feds Deep-Six Rustock Botnet
A series of raids last week submarined Rustock, Microsoft said, noting that it had filed a lawsuit that sparked the raids.
Rustock would take control of a computer and use it to send spam. It is believed that Rustock amassed a spam-saturating network of machines that topped a million infected computers.
"This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day," Richard Boscovich, senior attorney in the Microsoft Digital Crimes Unit, wrote in a blog post detailing the taking down of Rustock.
At its peak, Rustock was responsible for nearly half of the world's spam e-mail, according to Symantec. On average, the Rustock botnet made up about 39 percent of global spam. Microsoft estimated that Rustock was capable of sending 30 billion spam e-mails per day and, through the investigation, researchers witnessed a single Rustock-infected machine sending 7,500 spam emails in 45 minutes.
Rustock is most famous for the spam e-mail campaigns soliciting cheap and bogus medications through the Canadian Pharmacy, an Internet pharmacy offering Viagra, Cialis, Lipitor and other prescription medications. Rustock also sent fake Microsoft lottery scams. But Rustock was extra diabolical in that up to 77 of its spam was encrypted.
According to Boscovich's blog post, the Rustock botnet was officially taken offline on Tuesday after a months-long investigation by Microsoft's Digital Crimes Unit, the U.S. District Court of the Western District of Washington and the U.S. Marshals Service. The probe lead to a coordinated seizure of command and control servers in several hosting locations, Microsoft said. Microsoft said the take down of Rustock was similar, but more complex than last year's dismantling on the Waledac botnet.
"Microsoft filed suit against the anonymous operators of the Rustock botnet, based in part on the abuse of Microsoft trademarks in the bot's spam. However, Rustock's infrastructure was much more complicated than Waledac's, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to-peer command and control servers to control the botnet," Boscovich wrote. "To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis."