While digging through the hard drives seized as part of the Rustock takedown in March, Microsoft's forensic experts have uncovered thousands of compromised email addresses.
Microsoft
investigators have uncovered more than 400,000 email addresses from a single
hard drive seized during the Rustock botnet takedown in March, according to
court documents. The Rustock gang also had stolen credit card numbers.
Microsoft
outlined its investigation into the hard drives belonging to the botnet's
command and control servers in a status report to the United States District
Court for the Western District of Washington on May 23. Microsoft researchers
had been analyzing and studying the hardware seized by the U.S. Marshals
Service and other law enforcement agencies during the March 17 raid, Network
World reported May 24.
The
investigators uncovered "additional evidence" that the seized servers had been
part of the botnet's "spam-dissemination," Microsoft told U.S. District Judge
James Robart in the filing. The hard drives contained custom software that
assembled spam messages and text files containing thousands of email addresses
and username/password combinations. Microsoft also found evidence that
criminals had used stolen credit card numbers to purchase hosting and email
services.
"One
text file alone contained over 427,000 e-mail addresses," Microsoft wrote.
Microsoft
has found a clue that hinted the Rustock owners were based in Russia. The
payments for some of the hosting services were traced to a specific Webmoney
account. Webmoney is an electronic money and online payment system very popular
among Russian clients. Webmoney helped Microsoft trace the account back to a
Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.
Microsoft
acknowledged in the status filing that the actual person who bought the C&C
servers' hosting services may be someone else.
"Microsoft
is continuing its investigation to determine whether the name and contact
information are authentic, whether this is a stolen identity and whether this
person is associated with the events in this action," the company said.
Tracking
down the botnet's origins was a challenge because 18 of the 20 drives seized in
the raid had been used as Tor nodes to anonymize Internet traffic. Tor routes
Internet traffic through volunteer computers and is often used by activists to
hide their activities from government censorship as well as by criminals hoping
to avoid detection.
The
Rustock botnet is estimated to have had about 1 million compromised machines
under its control and was capable of sending up to 30 billion spam
messages per day. Microsoft obtained a restraining
order from the U.S. District Court for the Western District of Washington
giving the U.S. Marshals and other law enforcement authority to seize the
C&C servers hosted in facilities in seven U.S. cities.
However,
it doesn't appear that the March shutdown had any long-term impact on global
spam levels. Spam
levels declined 2 percent to 3 percent shortly after the takedown, but then
returned to normal levels, Kaspersky Lab found in its quarterly spam report.
Spam
accounted for a little less than 80 percent of total email volume in the first
quarter of 2011, which was 1.4 percent more than the last quarter of 2010, but
6.5 percent less than the first quarter of 2010. In its monthly spam report for
April, Kaspersky Lab reported the amount of spam increased by 1.2 percentage
points compared with March, and averaged 80.8 percent of total email volume.
"The
closure of the Rustock botnet command centres on 16 March 2011 did not impact
spam traffic as dramatically as last year's Pushdo, Cutwail and Bredolab
closures," Kaspersky researchers said in the quarterly report.
Email
Print
