Microsoft detailed its Rustock botnet countermeasures on Monday.
The software giant took the infamous Rustock botnet down earlier this year and claims it remains dead. “I’m happy to report that the botnet has stayed dead,” said Microsoft’s Digital Crimes Unit senior attorney, Richard Boscovich in a blog posting on Monday. “Our technical countermeasures have worked effectively to prevent the bot’s self-defense mechanisms from reanimating it.” Microsoft took the Russian botnet out alongside U.S. enforcement agents. The pair seized computer hardware from Internet hosts across the U.S. in March.
“We’ve seen the number of infected IP addresses (a loose proxy for the number of infected computers) decline as more and more people update their software or get malware removed from their PCs,” says Boscovich. “Keeping the botnet dead and decaying is just one part of our larger objective,” he added. The Rustock botnet was the largest source of spam in the world, consisting of around 150,000 machines sending around 30 billion spam messages a day. The take down was part of Microsoft’s fight against illegal botnets, designed to stop the spread of malware and spam mail. Botnets are networks of compromised computers controlled by “bot herders” or “bot masters” that use the thousands (sometimes millions) of compromised Windows machines to distribute adware, spyware, spam emails and launch DDoS attacks. Botnets are typically installed onto end users machines by web browser vulnerabilities, worms, Trojan horses, or backdoors. A “bot master” will then control the machines by IRC commands to launch attacks or send email spam.
Microsoft revealed last month that it had discovered over 400,000 email addresses on a Russian Rustock botnet server. The software maker filed a status report to a federal judge in late May. “The Microsoft Digital Crimes Unit continues to follow this case wherever it leads us,” says Boscovich. “Based on evidence gathered in the case, we have reason to believe that the people behind the Rustock botnet either have operated or are operating out of Russia.”
Microsoft has placed advertisements in two mainstream Russian newspapers, the Delovoy Petersburg in St. Petersburg and Moscow’s daily paper, The Moscow News. The adverts will run for 30 days and are designed to contact the owners of the IP addresses and domain names that were shut down when Rustock was taken offline. Microsoft hopes the owners of the IP addresses and domain names will come forward in response to a court summons. “If they do not, however, we will continue to pursue this case,” says Boscovich. “We remain firmly committed to taking action against not just the perpetrators of this botnet, but to disrupt digital crime globally to make the Internet safer for everyone.”
Microsoft has previously proposed that infected PCs should be banned from the Internet. Senior Microsoft Executive Scott Charney suggested in October that virus-infected PCs should be quarantined from the Internet in the same way that society deals with infected humans. The proposals generated a significant amount of industry debate. Charney reflected on his comments in February but still called for industry feedback and suggestions to tackle the ongoing issues of botnets and infected PCs.