Rustock Botnet Size Nearly Halved Since Server Takedown: Microsoft

The Rustock botnet has been nearly halved in size and effectively crippled, demonstrating how tech companies can coordinate with law enforcement to take down malware distributing botnets, Microsoft said.

Since Microsoft seized several command and control servers in the United States in March, the infection rate for Rustock malware has declined dramatically, Richard Boscovich, a senior attorney with Microsoft’s Digital Crime Unit, wrote July 5 on the Official Microsoft Blog. The blog post accompanied a special-edition Microsoft Security Intelligence Report containing the latest statistics on Rustock.

The worldwide number of known infected systems declined about 56 percent from more than 1.6 million at the end of March to just over 700,000 in June, Microsoft said. The infection rate in the U.S. dropped by 35.48 percent, or from 86,000 machines to 53,000. Even though the Microsoft-coordinated takedown operation only shut down U.S.-based servers and didn’t affect other C&C servers operating in other countries, it appeared that infection rates in India and Russia also declined 69.30 and 70.61 percent, respectively.

“Since the time of the initial takedown, we estimate the Rustock botnet is now less than half the size it was when we took it down in March," wrote Broscovitch. He said the drop in infection rates had happened much more quickly than expected.

At its peak, Rustock sent out billions of spam email messages per day and accounted for nearly half of global spam volume. Custom software was found on one of the drives of the seized C&C servers capable of mailing a spam file to 427,000 email addresses from a single data set.

India has the largest number of infected systems that are still active, about 100,000, according to Microsoft’s report. Even so, Rustock remains dark, suggesting that Microsoft either disrupted the botnet’s operations enough that the owners can’t regain control or they have decided to abandon it altogether. This way, the service providers can redirect any attempts by the infected machines to communicate with the C&C server to a harmless server.

"The actions taken against large-scale botnets like Waledac and Rustock may have been the first of their kind, but they won't be the last," the report concluded.

Microsoft's Digital Crimes Unit on March 16 received a court order that allowed it to coordinate raids with the Justice Department to seize servers from multiple hosting providers in seven U.S. cities.  The court order also allowed Microsoft to shut down domains or transfer ownership.

“As we continue our efforts to fight cyber-crime, one thing is clear: These threats cannot be tackled alone. It was through the combined effort of Microsoft, the judicial system and the industry that Rustock was successfully taken down,” Boscovich wrote.

Infected systems were cleaned up after security software was updated with the latest definitions, and many users reinstalled the operating system or ran automated malware removal scripts. The company did not attempt a similar remote process to remove the Rustock malware from infected systems that it is using to clean up machines infected with CoreFlood malware.

The report also provided a detailed overview of the Rustock Trojan’s capabilities. Microsoft researchers installed the Trojan onto a clean computer and observed that within five minutes, the system had been infected with several pieces of unwanted software. Those programs downloaded and installed additional malware as well. Within 24 minutes, the same PC carried out 1,406 unique DNS (Domain Name System) lookups for various hosts and 2,238 lookups of mail servers. It also received 22 updates from C&C servers.

Safe practices such as having a firewall and anti-malware protection as well as running up-to-date and legitimate versions of software will help users stay safe, Broscovitch said.

“The good news is that we are making progress. The tech industry, policy makers and consumer advocacy groups have helped curb cyber-threats through the development of safer products and by increasing public awareness of cyber-crime,” Boscovich said.

Rustock apparently sent the spam via Windows Live Hotmail using credentials supplied by the C&C server, which helped it avoid detection by firewalls and other network-monitoring technologies. Using Hotmail also meant Rustock was able to encrypt its outgoing traffic using the SSL (Secure Sockets Layer), further hiding its activities.

Microsoft is currently trying to identify the Russian hackers responsible for the botnet, Broscovitch said. The company discovered that some of the C&C servers were paid for from a Moscow address and the initial injection point for Rustock was in Russia.