14 DAY TRIAL // A large botnet acting as distribution platform for Rustock and other malware seems to have been abandoned by its creators in an attempt to erase their tracks.
Dubbed Harnig, the botnet has been part of Rustock's propagation scheme for around two years. This means the bot client might exist on many of the one million Rustock-infected computers.
The Rustock botnet, one of the world's primary sources of email spam, was taken down in a coordinated effort that saw the participation of Microsoft's Digital Crimes Unit (DCU) and the U.S. Marshals Service.
Authorities seized hard drives from hosting providers in seven U.S. cities, which were providing resources for the Rustock operation.
Soon after the take down action, all Harnig command and control (C&C) servers were wiped out by the botnet's masters in a surprising move.
"I must say that this was quite surprising for me," says Atif Mushtaq, a security research engineer at security vendor FireEye.
"Apparently there was no immediate danger to the Harnig botnet. No one was really going after it but it looks like the Harnig and Rustock operators must have been very close to each other such that a hit on Rustock panicked the Harnig bot herders and they felt that they better go underground for a while," he adds.
This is even more surprising since unlike Rustock, which hosted most of its C&C servers in U.S., Harnig's infrastructure was much more widespread.
For example, around 45% of Harnig C&Cs were hosted in Russia and 4% in China, two countries known for their so-called bulletproof hosting services.
In addition, Harnig's client list extended well beyond Rustock. According to FireEye, the botnet was seen distributing trojans like SpyEye, Zbot or Ertfor.
The fact that Harnig's owners chose to delete everything and gave up on their entire pay-per-install operation, enforces the idea that they are very close to the Rustock gang, or are even part of it.