Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Microsoft passes Rustock botnet case on to FBI

Unknown and unnamed bot herders now at the mercy of the digital police

Article comments

Microsoft wrapped up its civil case against the still unnamed controllers of the Rustock botnet and handed off the information gleaned during its investigation to the FBI.

But the move doesn't end the company's six month operation. Last week, a federal judge granted Microsoft and others the right to lock up tens of thousands of Internet protocol addresses for the next two years. The IP addresses were ones that the Rustock controllers could use to issue commands to the malware that still exists on infected PCs.

Richard Boscovich, a senior attorney in the Microsoft Digital Crimes Unit, was confident that authorities would find, arrest and prosecute those involved with Rustock.

"We went as far as we could on the civil side, we were able to develop some very good leads that we think will lead to the identities of some of those responsible," said Boscovich. "We decided to give our findings to law enforcement, so they could use their expertise. It was a natural progression for the case."

Later during the interview, Boscovich said he "felt pretty good" about the chance that authorities will eventually make arrests.

In March, Microsoft lawyers and US Marshals seized Rustock command-and-control (C&C) servers at five web hosting providers in seven US cities, crippling the botnet. At the time, Rustock was hiding on an estimated 1.6 million Windows PCs worldwide, and was being used to send massive quantities of spam, up to 30 billion messages daily, much of it pitches for fake pharmaceuticals.

The takedown and subsequent suppression efforts have prevented Rustock from reviving, according to Microsoft.

Boscovich said that as of September, Microsoft had identified about 422,000 Rustock-infected PCs, a 74% reduction since March. The September numbers were an improvement over June, when Microsoft said that more than 700,000 PCs harboured the Rustock malware.

The takedown didn't remove the Windows PCs from Rustock control. Instead, the server seizures and the blocking of domains Rustock was to use for fallback communications kept the botnet from updating itself.

That, in turn, gave antivirus vendors the time they needed to issue signatures for the existing Rustock malware, and for Internet service providers (ISPs) to notify users that their machines had been compromised.

But for all its work, including offering a $250,000 reward for information that leads to an arrest, Microsoft has not been able to conclusively identify those who controlled the botnet.

In an earlier filing with a Seattle federal court, Microsoft said it had traced payments for the hosting of some of Rustock's C&C servers to a specific Webmoney account, and after asking the Russian online payment service for help, identified the owner of that account as one Vladimir Alexandrovich Shergin of Khimki, a city 14 miles northwest of Moscow.

However, Microsoft had cautioned the court that Shergin might not be the actual purchaser of Rustock's C&C hosting services.

The $250,000 reward, which Microsoft posted in July, brought in scores of tips, including some high quality leads, said Boscovich.

"Some of the information we received seemed to be coming from other individuals in the 'industry,'" said Boscovich, referring to the botnet cybercrime business. He said Microsoft was able to gauge the legitimacy of the incoming tips by using information it had already collected.

"We were getting some very good discovery," Boscovich said, talking about the civil case's investigative phase. "We wanted to supplement that by offering the reward."

Microsoft has not withdrawn the reward, but has asked that tips now be submitted to an FBI email address. Some of what Microsoft learned during its Rustock digging revealed other cybercrimes, information that the company and others can use.

"It's like when you're walking down an alley looking for one crime, on the way you see several others," Boscovich said. "[The investigation] led to a lot of good leads, not just about Rustock, but about the industry itself."


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *