Microsoft Claims Rustock Botnet Takedown

Microsoft is claiming it took down the massive Rustock botnet, in a wide-ranging operation that saw servers seized in multiple cities.

Microsoft is claiming responsibility for the takedown of the massive Rustock botnet, which stopped sending out spam midmorning March 16.

Estimates of Rustock's size varied between 1.1 million and 1.7 million infected computers, and the botnet may have been responsible for 47.5 percent of all spam sent worldwide by the end of 2010. Rustock also went inactive for days at a time, making it unclear at first whether the current silence was due to internal factors or the efforts of some outside agency. 

It turned out to be the latter.

In a March 17 posting on the Microsoft on the Issues blog, Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit (DCU), claims the company squashed Rustock following a months-long investigation.

"This operation, known as Operation b107, is the second high-profile takedown in Microsoft's joint effort between DCU, Microsoft Malware Protection Center and Trustworthy Computing-known as Project MARS (Microsoft Active Response for Security)," he wrote. In addition, Microsoft has apparently filed suit against the Rustock botnet's anonymous operators, following a procedure pioneered when the company helped take down the Waledac botnet.

Project MARS' ultimate mission, Boscovich continued, is to "disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected systems." In the case of Rustock, the takedown involved bringing the case before U.S. District Court for the Western District of Washington, in addition to a "coordinated seizure of command and control servers in multiple hosting locations escorted by the U.S. Marshals Service."

Those servers were located at five hosting providers in seven U.S. cities, including Denver, Scranton, Kansas City, Dallas, Chicago, Seattle, and Columbus. Microsoft also blocked the IP addresses controlling the botnet.

Those who suspect their computer is inflected by Rustock or other types of malware can apparently visit support.microsoft.com/botnets for information and resources. 

Microsoft's previous botnet-killing, in February 2010, kicked off when a federal judge in Virginia issued a temporary restraining order that cut off the 277 Internet domains associated with Waledac, which was blamed for producing more than 1.5 billion spam messages per day. Having infected hundreds of thousands of computers around the world, Waledac was considered a big enough threat to attract the attention of not only Microsoft, but also Symantec, Shadowserver Foundation, the University of Washington and a handful of others joined together in an initiative termed "Operation b49."

At the time, however, security experts questioned whether legal maneuvers would ultimately be sufficient to curb the increasingly endemic issue of botnets. The sheer size and reach of the Rustock botnet suggests that the threat is far from being eliminated-but Microsoft's takedown also demonstrates companies' increased aggression in dealing with it.