Microsoft Uncovers 400K Tainted Email Addresses on Rustock Hard Drives

While digging through the hard drives seized as part of the Rustock takedown in March, Microsoft's forensic experts have uncovered thousands of compromised email addresses.

Microsoft investigators have uncovered more than 400,000 email addresses from a single hard drive seized during the Rustock botnet takedown in March, according to court documents. The Rustock gang also had stolen credit card numbers.

Microsoft outlined its investigation into the hard drives belonging to the botnet's command and control servers in a status report to the United States District Court for the Western District of Washington on May 23. Microsoft researchers had been analyzing and studying the hardware seized by the U.S. Marshals Service and other law enforcement agencies during the March 17 raid, Network World reported May 24.

The investigators uncovered "additional evidence" that the seized servers had been part of the botnet's "spam-dissemination," Microsoft told U.S. District Judge James Robart in the filing. The hard drives contained custom software that assembled spam messages and text files containing thousands of email addresses and username/password combinations. Microsoft also found evidence that criminals had used stolen credit card numbers to purchase hosting and email services.

"One text file alone contained over 427,000 e-mail addresses," Microsoft wrote.

Microsoft has found a clue that hinted the Rustock owners were based in Russia. The payments for some of the hosting services were traced to a specific Webmoney account. Webmoney is an electronic money and online payment system very popular among Russian clients. Webmoney helped Microsoft trace the account back to a Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.

Microsoft acknowledged in the status filing that the actual person who bought the C&C servers' hosting services may be someone else.

"Microsoft is continuing its investigation to determine whether the name and contact information are authentic, whether this is a stolen identity and whether this person is associated with the events in this action," the company said.

Tracking down the botnet's origins was a challenge because 18 of the 20 drives seized in the raid had been used as Tor nodes to anonymize Internet traffic. Tor routes Internet traffic through volunteer computers and is often used by activists to hide their activities from government censorship as well as by criminals hoping to avoid detection.

The Rustock botnet is estimated to have had about 1 million compromised machines under its control and was capable of sending up to 30 billion spam messages per day. Microsoft obtained a restraining order from the U.S. District Court for the Western District of Washington giving the U.S. Marshals and other law enforcement authority to seize the C&C servers hosted in facilities in seven U.S. cities.

However, it doesn't appear that the March shutdown had any long-term impact on global spam levels. Spam levels declined 2 percent to 3 percent shortly after the takedown, but then returned to normal levels, Kaspersky Lab found in its quarterly spam report.

Spam accounted for a little less than 80 percent of total email volume in the first quarter of 2011, which was 1.4 percent more than the last quarter of 2010, but 6.5 percent less than the first quarter of 2010. In its monthly spam report for April, Kaspersky Lab reported the amount of spam increased by 1.2 percentage points compared with March, and averaged 80.8 percent of total email volume.

"The closure of the Rustock botnet command centres on 16 March 2011 did not impact spam traffic as dramatically as last year's Pushdo, Cutwail and Bredolab closures," Kaspersky researchers said in the quarterly report.