Microsoft is claiming it took down the massive Rustock botnet, in a wide-ranging operation that saw servers seized in multiple cities.
Microsoft is claiming responsibility for the takedown of the
massive Rustock botnet, which stopped sending out spam midmorning March 16.
Estimates of Rustock's size varied between 1.1 million and
1.7 million infected computers, and the botnet may have been responsible for 47.5
percent of all spam sent worldwide by the end of 2010. Rustock
also went inactive for days at a time
, making it unclear at first whether
the current silence was due to internal factors or the efforts of some outside
It turned out to be the latter.
In a March 17 posting on the
Microsoft on the Issues blog
, Richard Boscovich, senior attorney for
Microsoft's Digital Crimes Unit (DCU), claims the company squashed Rustock
following a months-long investigation.
"This operation, known as Operation b107, is the second
high-profile takedown in Microsoft's joint effort between DCU, Microsoft
Malware Protection Center and Trustworthy Computing-known as Project MARS
(Microsoft Active Response for Security)," he wrote. In addition, Microsoft has
apparently filed suit against the Rustock botnet's anonymous operators,
following a procedure pioneered when the company helped take down the Waledac
Project MARS' ultimate mission, Boscovich continued, is to
"disrupt botnets and begin to undo the damage the botnets have caused by
helping victims regain control of their infected systems." In the case of
Rustock, the takedown involved bringing the case before U.S. District Court for
the Western District of Washington, in addition to a "coordinated seizure of
command and control servers in multiple hosting locations escorted by the U.S.
Those servers were located at five hosting providers in
seven U.S. cities, including Denver, Scranton, Kansas City, Dallas, Chicago,
Seattle, and Columbus. Microsoft also blocked the IP addresses controlling the
Those who suspect their computer is inflected by Rustock or
other types of malware can apparently visit support.microsoft.com/botnets
for information and resources.
Microsoft's previous botnet-killing, in February 2010,
kicked off when a federal judge in Virginia issued a temporary restraining
order that cut off the 277 Internet domains associated with Waledac, which was
blamed for producing more than 1.5 billion spam messages per day. Having infected
hundreds of thousands of computers around the world, Waledac was considered a
big enough threat to attract the attention of not only Microsoft, but also
Symantec, Shadowserver Foundation, the University of Washington and a handful
of others joined together in an initiative termed "Operation b49."
At the time, however, security experts questioned whether
legal maneuvers would ultimately be sufficient to curb the increasingly endemic
issue of botnets. The sheer size and reach of the Rustock botnet suggests that
the threat is far from being eliminated-but Microsoft's takedown also
demonstrates companies' increased aggression in dealing with it.