Microsoft Claims Rustock Botnet Takedown

 
 
By Nicholas Kolakowski  |  Posted 2011-03-18 Email Print this article Print
 
 
 
 
 
 
 

Microsoft is claiming it took down the massive Rustock botnet, in a wide-ranging operation that saw servers seized in multiple cities.

Microsoft is claiming responsibility for the takedown of the massive Rustock botnet, which stopped sending out spam midmorning March 16.

Estimates of Rustock's size varied between 1.1 million and 1.7 million infected computers, and the botnet may have been responsible for 47.5 percent of all spam sent worldwide by the end of 2010. Rustock also went inactive for days at a time, making it unclear at first whether the current silence was due to internal factors or the efforts of some outside agency. 

It turned out to be the latter.

In a March 17 posting on the Microsoft on the Issues blog, Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit (DCU), claims the company squashed Rustock following a months-long investigation.

"This operation, known as Operation b107, is the second high-profile takedown in Microsoft's joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing-known as Project MARS (Microsoft Active Response for Security)," he wrote. In addition, Microsoft has apparently filed suit against the Rustock botnet's anonymous operators, following a procedure pioneered when the company helped take down the Waledac botnet.

Project MARS' ultimate mission, Boscovich continued, is to "disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected systems." In the case of Rustock, the takedown involved bringing the case before U.S. District Court for the Western District of Washington, in addition to a "coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service."

Those servers were located at five hosting providers in seven U.S. cities, including Denver, Scranton, Kansas City, Dallas, Chicago, Seattle, and Columbus. Microsoft also blocked the IP addresses controlling the botnet.

Those who suspect their computer is inflected by Rustock or other types of malware can apparently visit support.microsoft.com/botnets for information and resources. 

Microsoft's previous botnet-killing, in February 2010, kicked off when a federal judge in Virginia issued a temporary restraining order that cut off the 277 Internet domains associated with Waledac, which was blamed for producing more than 1.5 billion spam messages per day. Having infected hundreds of thousands of computers around the world, Waledac was considered a big enough threat to attract the attention of not only Microsoft, but also Symantec, Shadowserver Foundation, the University of Washington and a handful of others joined together in an initiative termed "Operation b49."

At the time, however, security experts questioned whether legal maneuvers would ultimately be sufficient to curb the increasingly endemic issue of botnets. The sheer size and reach of the Rustock botnet suggests that the threat is far from being eliminated-but Microsoft's takedown also demonstrates companies' increased aggression in dealing with it.

 
 
 
 
Nicholas Kolakowski is a staff editor at eWEEK, covering Microsoft and other companies in the enterprise space, as well as evolving technology such as tablet PCs. His work has appeared in The Washington Post, Playboy, WebMD, AARP the Magazine, AutoWeek, Washington City Paper, Trader Monthly, and Private Air. He lives in Brooklyn, New York.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel