When Microsoft took down Waledac in 2010, the company was just warming up for upcoming fights with the heavyweights of the botnet universe.
But it appears that shutting down Waledac was nothing but good practice for the Microsoft Digital Crimes Unit (DCU) which announced that it prescribed a lethal dosage of “offline” to Rustock, one of the world’s largest botnets and a primary source of prescription drugs spam.
As was the case with Waledac, shuttering Rustock involved an industry-wide collaboration, and a combination of legal and technical measures.
“Rustock’s infrastructure was much more complicated than Waledac’s, relying on hard-coded Internet Protocol addresses rather than domain names and peer-to peer command and control servers to control the botnet,” revealed Richard Boscovich
, Senior Attorney, Microsoft Digital Crimes Unit.
“To be confident that the bot could not be quickly shifted to new infrastructure, we sought and obtained a court order allowing us to work with the U.S. Marshals Service to physically capture evidence onsite and, in some cases, take the affected servers from hosting providers for analysis.”
DCU estimates that approximately 1 million infected PCs, known as bots or zombie computers, were part of Rustock, powering this immense spam machine.
The hardware seized by authorities from five hosting providers in Kansas City, Scranton, Denver, Dallas, Chicago, Seattle, and Columbus was abused by bot herders to control the bots. Elements of the botnet control and command infrastructure were also seized outside of the US, with the help of the Dutch High Tech Crime Unit within the Netherlands Police Agency.
Additional work was done to cut communications between elements of the botnet by blocking IP addresses used to control zombie computers.
“Additionally, Microsoft worked with CN-CERT in blocking the registration of domains in China that Rustock could have used for future command and control servers,” Boscovich added.
“We are also now working with Internet service providers and Community Emergency Response Teams (CERTs) around the world to help reach out to help affected computer owners clean the Rustock malware off their computers.”
According to Microsoft, Rustock was capable of sending in excess of 30 billion spam e-mails per day, some 240,000 messages from a single infected zombie computer, without its owner knowing it.
The software giant underlined the danger that Rustock posed to users, because it was used as a channel to advertise counterfeit or unapproved knock-off pharmaceuticals.
“Because Rustock propagated a market for these fake drugs, drug-maker Pfizer served as a declarant in this case,” Boscovich explained.
“Pfizer’s declaration provides evidence that the kind of drugs advertised through this kind of spam can often contain wrong active ingredients, incorrect dosages or worse, due to the unsafe conditions fake pharmaceuticals are often produced in.
“Fake drugs are often contaminated with substances including pesticides, lead-based highway paint and floor wax, just to name a few examples.”