Microsoft released new statistics in the wake of its Rustock server takedown in March, including one showing the botnet is significantly smaller than it used to be
botnet has been nearly halved in size and effectively crippled, demonstrating
how tech companies can coordinate with law enforcement to take down malware
distributing botnets, Microsoft said.
Microsoft seized several command and control servers in the United States in
March, the infection rate for Rustock malware has declined dramatically,
Richard Boscovich, a senior attorney with Microsoft's Digital Crime Unit, wrote
July 5 on the Official Microsoft Blog
. The blog post
accompanied a special-edition Microsoft Security Intelligence Report
the latest statistics on Rustock.
number of known infected systems declined about 56 percent from more than 1.6
million at the end of March to just over 700,000 in June, Microsoft said. The
infection rate in the U.S. dropped by 35.48 percent, or from 86,000 machines to
53,000. Even though the Microsoft-coordinated takedown operation only shut down
U.S.-based servers and didn't affect other C&C servers operating in other
countries, it appeared that infection rates in India and Russia also declined
69.30 and 70.61 percent, respectively.
time of the initial takedown, we estimate the Rustock botnet is now less than
half the size it was when we took it down in March," wrote Broscovitch. He
said the drop in infection rates had happened much more quickly than expected.
At its peak,
Rustock sent out billions of spam email messages per day and accounted for
nearly half of global spam volume. Custom software was found on one of the
drives of the seized C&C servers capable of mailing a spam file
to 427,000 email addresses
from a single data set.
India has the
largest number of infected systems that are still active, about 100,000,
according to Microsoft's report. Even so, Rustock remains dark
, suggesting that Microsoft
either disrupted the botnet's operations enough that the owners can't regain
control or they have decided to abandon it altogether. This way, the service
providers can redirect any attempts by the infected machines to communicate
with the C&C server to a harmless server.
actions taken against large-scale botnets like Waledac and Rustock may have
been the first of their kind, but they won't be the last," the report
Microsoft's Digital Crimes Unit
on March 16 received
a court order that allowed it to coordinate raids with the Justice Department
to seize servers from multiple hosting providers in seven U.S. cities.
The court order also allowed Microsoft to shut down domains or transfer
continue our efforts to fight cyber-crime, one thing is clear: These threats
cannot be tackled alone. It was through the combined effort of Microsoft, the
judicial system and the industry that Rustock was successfully taken down,"
systems were cleaned up after security software was updated with the latest
definitions, and many users reinstalled the operating system or ran automated
malware removal scripts. The company did not attempt a similar remote process
to remove the Rustock malware from infected systems that it is using to clean
up machines infected with CoreFlood malware
also provided a detailed overview of the Rustock Trojan's capabilities.
Microsoft researchers installed the Trojan onto a clean computer and observed
that within five minutes, the system had been infected with several pieces of
unwanted software. Those programs downloaded and installed additional malware
as well. Within 24 minutes, the same PC carried out 1,406 unique DNS (Domain
Name System) lookups for various hosts and 2,238 lookups of mail servers. It
also received 22 updates from C&C servers.
such as having a firewall and anti-malware protection as well as running
up-to-date and legitimate versions of software will help users stay safe,
"The good news
is that we are making progress. The tech industry, policy makers and consumer
advocacy groups have helped curb cyber-threats through the development of safer
products and by increasing public awareness of cyber-crime," Boscovich said.
apparently sent the spam via Windows Live Hotmail using credentials supplied by
the C&C server, which helped it avoid detection by firewalls and other
network-monitoring technologies. Using Hotmail also meant Rustock was able to
encrypt its outgoing traffic using the SSL (Secure Sockets Layer), further
hiding its activities.
currently trying to identify the Russian hackers responsible for the botnet,
Broscovitch said. The company discovered that some of the C&C servers were
paid for from a Moscow address and the initial injection point for Rustock was