Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft and feds bring down spam giant Rustock


  • Please log in to reply
5 replies to this topic

#1 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:11:59 PM

Posted 17 March 2011 - 10:23 PM

http://news.cnet.com/8301-10805_3-20044480-75.html

A lawsuit by Microsoft that was unsealed at the company's request late today triggered several coordinated raids last Wednesday that took down Rustock, a botnet that infected millions of computers with malicious code in order to turn them into a massive spam-sending network.

snip

The Wall Street Journal first reported that it was Microsoft's digital crimes unit, working in concert with U.S. marshals, that raided seven hosting facilities across the country and seized the command-and-control machines that ran the network. Those are the servers that send instructions to the fleet of infected computers to dish out spam messages hawking such items as phony lottery scams and fake and potentially dangerous prescription drugs.The takedown was known internally as Operation b107.

Shutting down Rustock could put a huge dent in spam worldwide. Tech security giant Symantec estimated last year that Rustock was responsible for 39 percent of the world's spam. Global spam levels dropped 12 percent after Dutch authorities took down a Trojan horse named Bredolab last November.


Microsoft shuts down giant Rustock spamming network

http://blog.seattlepi.com/microsoft/2011/03/17/microsoft-shuts-down-giant-rustock-spamming-network/

Like Microsoft did with the Waledac botnet in February 2010, the company used the courts to go after Rustock. On Wednesday morning, U.S. Marshals seized hard drives and servers at Internet service providers in seven U.S. cities including Seattle, disconnecting most of the IP addresses that controlled the botnet, according to court documents.

The servers were removed as evidence and will be analyzed by Microsoft. Simultaneously, police carried out similar action in the Netherlands, where one Rustock server was located, Richard Boscovich, senior attorney in Microsoft's Digital Crimes Unit, said in a phone interview.

"It's is one of the largest," Boscovich said of the Rustock botnet. "At any time, it's one of the top two sending spam."

On a good day, Rustock was capable of sending 30 billion spam e-mails per day.


Rustock Botnet Flatlined, Spam Volumes Plummet

http://krebsonsecurity.com/2011/03/rustock-botnet-flatlined-spam-volumes-plummet/

The global volume of junk e-mail sent worldwide took a massive nosedive today following what appears to be a coordinated takedown of the Rustock botnet, one of the world’s most active spam-generating machines.

For years, Rustock has been the most prolific purveyor of spam — mainly junk messages touting online pharmacies and male enhancement pills. But late Wednesday morning Eastern Time, dozens of Internet servers used to coordinate these spam campaigns ceased operating, apparently almost simultaneously.

Such an action suggests that anti-spam activists have succeeded in executing possibly the largest botnet takedown in the history of the Internet. Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared. The CBL estimates that at least 815,000 Windows computers are currently infected with Rustock, although that number is more than likely a conservative estimate.

Spam data compiled by the Composite Spam Blocklist, the entity that monitors global junk e-mail volumes for the anti-spam outfit Spamhaus.org, shows that at around 2:45 p.m. GMT (10:45 a.m. EDT) spam sent via the Rustock botnet virtually disappeared. The CBL estimates that at least 815,000 Windows computers are currently infected with Rustock, although that number is more than likely a conservative estimate.



Edited by Union_Thug, 17 March 2011 - 10:35 PM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 PM

Posted 17 March 2011 - 11:58 PM

Sounds like a good job was done taking down the C & C system. Should take them a while to recover from that.
http://www.bbc.co.uk/news/technology-12772319

Often the infected computers that form a botnet are programmed to seek out websites where they can download new instructions, in the event that the command and control systems are breached.

"The botnet controllers can use legitimate websites - such as headlines from news sites - to identify where the new instructions can be found," said Mr Wood.

So even when a botnet is disabled, it may be back up and running in days.

"Only time will tell if we will see [Rustock] coming back," said Mr Hanna.

And new types of malware are proliferating rapidly, making it harder for computer users to ensure their systems are fully protected.

There were 26% more incidences of new types of malware in the first three months of 2011 than in the final three months of 2010, according to anti-virus firm Panda Security.


The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:10:59 PM

Posted 19 March 2011 - 11:00 AM

I would like to thank Microsoft and the marshals for the good work they are doing. I hope that there will be other companies working with Microsoft and the marshals to even shut down more of these botnets.

#4 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:11:59 PM

Posted 23 March 2011 - 12:16 AM

New weapons forged from botnet takedown

Microsoft's takedown of Waledac last September pioneered the use of an ex parte temporary restraining order, which allowed the seizure of assets -- in that case, domain names -- without first notifying the other party, the bot operators. In taking down Rustock, Microsoft used a civil statute known as the Lanham Act to file a trademark-infringement complaint, says Richard Boscovich, senior attorney for Microsoft's DCU. The Rustock bot operators used their botnet to send spam that, in many cases, purported to be from Microsoft and other companies, such as Pfizer.

"We used what was primarily an analog approach to the statute and applied it to cyberspace," says Boscovich. "From a legal approach, that is what differentiates this case from our legal approach in Waledac."

Botnets are notoriously difficult to dismantle. And even if Rustock does not return, the criminals behind it could likely recreate the botnet. But now other companies that want to take on bot operators have legal precedents to help their cause. The criminals behind Rustock may return, but both the legal precedents and relationships with Internet infrastructure providers are here to stay.


Edit to add link: http://www.infoworld.com/t/malware/new-weapons-forged-botnet-takedown-168?source=rss_security

Edited by Union_Thug, 23 March 2011 - 12:17 AM.


#5 MegaDan5

MegaDan5

  • Members
  • 214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Probably by a computer
  • Local time:10:59 PM

Posted 23 March 2011 - 02:57 PM

This story makes me happy that Microsoft is actively trying to take down the creators of these botnets.

#6 Rootkit Hunter

Rootkit Hunter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:59 PM

Posted 05 June 2011 - 08:21 PM

This story makes me happy that Microsoft is actively trying to take down the creators of these botnets.


I agree, it's really good to see a company like MSFT get involved with actively taking down botnets, they can leverage a lot of financial and legal muscle that many of the smaller security firms cannot. It's also nice to see them collaborate with some other people in the takedown.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users