New weapons forged from botnet takedown

In Rustock breakup, Microsoft, FireEye, and the U.S. Marshals created important new international relationships and legal precedents

A million compromised PCs no longer have their malicious marching orders following a massive effort by Microsoft, the U.S. Marshals, and other security experts last week to break up the Rustock botnet.

After more than 18 months of research under the auspices of MARS (Microsoft Active Response for Security) program, U.S. Marshals and forensics experts raided data centers in Chicago, Columbus, Dallas, Denver, Kansas City, Scranton, and Seattle and seized the hard drives of the computers used to control the bots.

The Rustock botnet, which Microsoft estimates consisted of 1 million compromised PCs, could send up to 30 billion spam messages per day. Even a single infected computer could send nearly a quarter million messages in a 24-hour period, according to Microsoft. Following the takedown, spam from the Rustock botnet plummeted, falling from up to 2,000 messages per second to less than 2 per second.

From an operational standpoint, the decapitation of the Rustock botnet was a success. However, the actual dismantling of the botnet is small potatoes compared to Microsoft's ability to establish legal precedents for the takedown of critical botnet components and build relationships with key organizations who can execute takedown orders, says T.J. Campana, senior program manager at Microsoft's DCU (Digital Crimes Unit).

Solid relationships with registrars and hosting providers allows Microsoft to quickly get to the right person inside an organization who can make a takedown happen. In the case of the Rustock raids, for example, the hard drives were seized from hosting centers in all seven cities within 30 minutes.

"What has really been a game changer is the building out of that community of folks," says Campana. "It is a really powerful thing to say, 'Here folks, you are hosting the command and control for a botnet, here is the reality to show that it is in fact the case,' and have them take an appropriate action."

When it planned the Waledac takedown last year, Microsoft brought together researchers and responsible registrars to show that the botnet used certain domains for its command-and-control servers. With Rustock, the company had to work with hosting providers, the U.S. Marshals, the University of Washington, security firm FireEye, and the Dutch Police (two command-and-control servers were hosted in the Netherlands).

Microsoft's takedown of Waledac last September pioneered the use of an ex parte temporary restraining order, which allowed the seizure of assets -- in that case, domain names -- without first notifying the other party, the bot operators. In taking down Rustock, Microsoft used a civil statute known as the Lanham Act to file a trademark-infringement complaint, says Richard Boscovich, senior attorney for Microsoft's DCU. The Rustock bot operators used their botnet to send spam that, in many cases, purported to be from Microsoft and other companies, such as Pfizer.

"We used what was primarily an analog approach to the statute and applied it to cyberspace," says Boscovich. "From a legal approach, that is what differentiates this case from our legal approach in Waledac."

Botnets are notoriously difficult to dismantle. And even if Rustock does not return, the criminals behind it could likely recreate the botnet. But now other companies that want to take on bot operators have legal precedents to help their cause. The criminals behind Rustock may return, but both the legal precedents and relationships with Internet infrastructure providers are here to stay.

This story, "New weapons forged from botnet takedown," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform