Microsoft Conducts Massive Botnet Takedown Action

[Sabre]

WSJ article

Microsoft Corp. and federal law enforcement agents seized computer equipment from Internet hosting facilities across the U.S. in a sweeping legal attack designed to cripple the leading source of junk email on the Internet.

Microsoft launched the raids as part of a civil lawsuit filed in federal court in Seattle in early February against unnamed operators of the Rustock "botnet," a vast network of computers around the globe infected with malicious software that allows its masterminds to distribute enormous volumes of spam, peddling everything from counterfeit software to pharmaceuticals.

In recent years, Microsoft has stepped up legal actions against a variety of Internet nuisances like spam that it believes inflict harm on its product and reputation. Spam taxes the servers of its Hotmail email service, and impacts the Internet experience of users of Microsoft software like Windows and Office. The malicious code used to form spam botnets often exploits security vulnerabilities in products like Windows.

That lawsuit was unsealed late Thursday by a federal judge, at Microsoft's request, after company executives said they dealt a seemingly lethal blow to the botnet in their raids on Wednesday.

As part of that dragnet, U.S. marshals accompanied employees of Microsoft's digital crimes unit into Internet hosting facilities in Kansas City, Mo.; Scranton, Pa; Denver; Dallas; Chicago; Seattle and Columbus, Ohio. The Microsoft officials brought with them a federal court order granting them permission to seize computers within the facilities alleged to be "command-and-control" machines, through which the operators of the Rustock botnet broadcast instructions to their army of infected computers, estimated by Microsoft at more than one million machines world-wide.

Microsoft doesn't allege in its lawsuit that the Internet hosting companies knew that machines within their facilities were being used as part of Rustock.

[PGT]

wonder how the owner's might have been affected (assuming it wasn't the owners of the botnet itself of course).

[Sabre]

Sadly, I'm guessing this only put a minor dent in that botnet. Sure, you might have captured 9/10 of the main bots, but as long as 1 remains, it can redirect all of the child ones to a whole new set of main bots.

[PGT]

so, these weren't pwned boxes but actual C2 ones that were placed in hosting centers

[Sabre]

That's the way I read it.

[PGT]

No, I'm confirming that silly

[Sabre]

Oh, hehe... oops

[Sabre]

Rustock analysis

Analysis The unidentified criminals behind the infamous Rustock botnet were paying at least $10,000 a month for US-based command and control servers prior to a successful takedown operation last week.

Instead of using bulletproof hosting outfits (rogue ISPs normally based in eastern Europe) that ignore takedown notices, the botherders behind Rustock attempted to hide in plain sight...

Alex Lanstein, a security analyst at FireEye Malware Intelligence Labs, who worked with Microsoft on the successful takedown operation, credits the tactic as being the main reason why Rustock stayed in operation for more than five years.

Rustock, which spread largely via drive-by download from compromised websites, turned compromised machines into spam-spewing monsters. At its peak, the botnet was responsible for almost the worldwide production of spam. Much of this junk mail promoted sites selling unlicensed pharmaceutical drugs, such as Viagra. With the closure of the world's largest spam affiliate program – spamit.com – back in October, this volume of junk mail dropped slightly. This was essentially because one of the botnet owner's main clients had shut up shop, but Rustock was still responsible for at least 30 per cent of global spam.

The dismantling of the core network of around 26 servers that were used to control infected clients meant that this spam torrent suddenly trickled away to nothing last Wednesday.

[complacent]

enterprising... pretty wild.