back to article RUSTOCK TAKEDOWN: How the world's worst botnet was KO'd

The unidentified criminals behind the infamous Rustock botnet were paying at least $10,000 a month for US-based command and control servers prior to a successful takedown operation last week. Instead of using bulletproof hosting outfits (rogue ISPs normally based in eastern Europe) that ignore takedown notices, the botherders …

COMMENTS

This topic is closed for new posts.
  1. JDX Gold badge

    Windows Update?

    "Compromised machines are still infected, but are now seeking instructions from sinkholes controlled by Microsoft."

    1. Anonymous Coward
      Stop

      No public cloud for my company

      We might use gmail some day but there is no way we will put our company data up on a cloud to be infected then confiscated by the government.

  2. TeeCee Gold badge
    Alert

    It might be equally valid to say:

    If I were the Microsoft Corporation, I would not be sleeping well knowing that the full resources of a team capable of building an umpty-something-thousand node botnet were available to a load of crooks with an axe to grind.....

  3. Richard 31
    Paris Hilton

    Control

    If MS now have effective control of the botnet, couldn't they instruct the compromised machine to run a clean-up program?

    1. Crazy Operations Guy

      Well yes, that would work

      But doing so would be illegal, since the running of the clean-up program would not be authorized by the user (similar thing was proposed in Conficker). Even if you were to place a page that said something like "Microsoft has found a Virus on your system, please run this program to clean it up", while legal, will only cause more damage.

      A program to clean this infection has already been getting distributed by Windows Update, unfortunately Update functionality has been disabled on the compromised systems.

      1. Old Handle
        Gates Halo

        So?

        Stealing computers from innocent hosting companies is illegal too, but apparently they just invented a new law to handle that.

        1. sisk

          @OH: Read again

          "This kit was often not owned by the hosting providers themselves". Besides, they jumped through the proper hoops to get the warrents and do it all legal like.

    2. Anonymous Coward
      Pint

      Yes

      They could, but this is illegal in many countries.

      1. Anonymous Coward
        Anonymous Coward

        Cleanup?

        'They could, but this is illegal in many countries.'

        And they would probably cock up the update if recent events are anything to go by

      2. Anonymous Coward
        Anonymous Coward

        I wonder if there is something in Licence Agreement

        that allows them to run clean up scripts or whatever they want without asking!

  4. Anonymous Coward
    Linux

    How to takedown botnets

    Switch off your Windows computer ..

    1. Lewis Mettler
      Go

      good idea

      Good idea. Stop using any Microsoft products would help a lot.

      Opps, don't have any left.

      Good!

      1. Anonymous Coward
        WTF?

        Get back under your bridge troll!

        I'm an OSX and Ubuntu user exclusively but even I recognise the fact that MS did everyone a huge favour by removing these scum from operation, yet you people still have to have a pop with your silly little digs about Windows!

        1. Anonymous Coward
          Go

          No, I won't!

          And, pray, why not take another dig at MS? They have been a pain in the bottom for umpty years spreading their malware that allows the creation of the resource stealing spam bots. About time they started cleaning up their mess and do not deserve more than token thank you for it. Certainly not a reason to begin using their product nor continue to do so. The faults and holes are still there, waiting for another exploit.

          1. DryBones
            Thumb Down

            Tsk

            Market share, pure and simple. You can bang the drum all you want, those of us that haven't drank the Kool-Aid know if OSX or (gasp!) Linux was the market leader there'd be rife attacks against them. Granted the holes might be fixed faster, but then you'd have an OS that criminals would be competing to get malevolent code committed to the next build. And hey, then everyone that updates is infected.

            Pick your poison, prat.

            1. Big-nosed Pengie
              Linux

              Tsk

              Stupidity or FUD? Take your pick.

              1. big_D Silver badge

                Given the...

                number of critical holes patched in Linux and OS X on a regular basis, neither user base has a cause to brag. They can be smug for the time being, because people aren't exploiting these holes.

                Look at the recent CSW competion, where Safari fell in a few seconds, look at the bug fixes in the last Kernel Log for Linux. In an interview after the CSW conference, Charlie Miller stated that the flawed ASLR and DEP implementations in OS X made it much easier to attack than Windows.

                Don't forget, the first worms and viruses ran on UNIX and derivative systems, long before Windows was even a gleam in Bill's eye...

                Virus writing is a big money game and Linux and OS X PCs don't make an attractive target, which means that the writers concentrate on the bigger targets - Java, Flash and Windows. With Java and Flash, you are suddenly cross-platform.

                I've done enough securtiy research and bug testing, that I would never look at any OS as being secure against malware attack.

                Am I a Windows fanboy? I use an iMac, SUSE Linux, Ubuntu and Windows 7 on a daily basis and don't really have a favourite.

  5. h4rm0ny

    Follow the money...?

    So the non-technical route to finding the culprits would be to follow the money trail back from these ISPs. It seems to me that I thought it would be harder to completely hide your financial trail like this?

    1. Anonymous Coward
      Linux

      Crumb trail

      The crooks will be using anonymous credit cards, forged bank accounts.

      The main way to identify them is through the affliates and payment providers. Who run very openly in Russia.

      Some documents have been leaked recently from one of the main pharmacy spam affliates.

    2. Nexox Enigma

      Meh

      I figure if you're into cyber crime this hard, you just pay for everything with stolen credit cards. And if you really want to pay for it yourself, the friendly banking laws of Switzerland and other countries can supposedly stop paper trails before they get back to you.

  6. Keith Smith 1
    Pint

    Thank You Microsoft

    No love lost here for Microsoft, but I'm glad to see they have become pro-active in helping fight this SPAM crap. Whining about how bad Windows is, is counter-productive. It (Windows) exists and it's good to see MS using some of it's vast resources to shut these folks down. They have the resources and the low-level code access to both detect and pursue this junk.

    It's about time they stepped up to the plate.

    1. sisk

      Eh

      I'm a long time Linux geek myself, but Microsoft stopped being the devil years ago. They've been at the plate fighting malware and spam, so to speak, for most of this decade. It would be more accurate to say "about time they finally accomplished something significant". Their products are still lacking IMHO, but the company on the whole is getting more resposible.

  7. L1feless

    So let me get this striaght...

    MS thinks that they are a force to be reckoned with in net security? In many cases these spam botnets are partially caused by MS' inadequacy in patching and development in the first place. How can anyone with a straight face make any comment like that...baffles my mind. I think a more worrying comment is the fact that a botnet has had the ability to be active for this long without being properly understood by supposed 'experts;

    1. Gotno iShit Wantno iShit
      FAIL

      @L1feless

      "How can anyone with a straight face make any comment like that...baffles my mind."

      I don't doubt that it does. Anyone with a couple of braincells to rub together will accept that OS security vulnerabilities are a fact of life. All OS suffer from them and all OS get patched but as has already been said above Rustock disables Windows Update. Anyone without will remain baffled.

      No I am not a Microsoft fanboi, I just have a grip on reality.

  8. Herby

    One thing that can be said...

    Microsoft actually did something useful.

    Of course, they needed help doing it, and some incentive (Hotmail), but at least they have some good things to do. Now if they would direct some of this energy to other tasks, we would ALL be in a better world.

  9. K. Adams
    Welcome

    Every once in a while, Microsoft does something...

    ... that earns them a bit of grudging respect from me.

    As a GNU/Linux enthusiast, I tend to eschew Microsoft products (though I do use them at work out of necessity), and stick to Debian-based distros.

    I used to have a fairly constant and high-level antipathy towards the company (MS), but my view has softened a bit over the past eighteen months or so. My dislike of the company now waxes and wanes, depending on its level of cooperation with the F/LOSS (Free/Libre` Open-Source Software) Community, and on how it wields its patent portfolio. Microsoft has shrewdly embraced some elements of Open-Source philosophy in a bid to remain relevant, but still needs to be watched with a wary eye.

    (I personally think Microsoft's patent suit against Barnes & Noble and Foxconn over the Nook is out of line. But in an interesting and ironic development, Microsoft has managed to escalate the suit brought by i4i over "custom XML" editing support to the U.S. Supreme Court, which could deal a serious blow to software patents if the court rules in favour of Microsoft.)

    However, whenever a company like Microsoft offers its resources to take down a major botnet (and track down its herders while they're at it), its a welcome development.

  10. Anonymous Coward
    Stop

    Money Trail

    "paying at least $10,000 a month "

    That's a lot of money to be moving. What is the status on the money trail? It is a lot easier to move small amounts of money over the net anonymously, so there should be some sort of a trail. I have yet to see any mention of it.

    1. Old Handle

      $10,000 / 26 hosts.

      That's only $385 each, much more manageable. And as someone else said, they're probably using stolen cards or similar.

  11. Anonymous Coward
    WTF?

    Ahh, they were very dangerous, they were harming Pfizer!

    To deserve such an effort a spammer has to cause a pharmaceutical company earn less... as long as you perform other criminal activities, even worse ones, you should be safe enough.

  12. Chaosechoz

    But um.

    Just out of interest, what would really stop these crims from just morphing the thing into something even worse with far more destructive qualities than anything ever seen.. I mean really!!!

    MS is near powerless to stop all these assaults from the home pc users perspective because MS doesn't have the right to run any remote cleaning functions unless its through the AUS (Automatic Update Service).

    Even more worryingly a lot of Home users do not run their updates regularly enough to even do anything to help. My company ran an independent survey ages ago targeting over 1000 Windows base pc users (home / small office environment only) and asked them how often they did the AUS.

    Out of 1000 users only 397 people said they allow it to run automatically without user interaction. The rest said they tend to just leave the notification up and do nothing about it.

    1. Version 1.0 Silver badge
      Happy

      "users do not run their updates regularly"

      Have you ever tried running an update check over a 14kb modem connection?

      I did this recently for the in-laws XP computer ... download time was something like 3 days. On average the modem connection drops every couple of hours.

      1. Andus McCoatover

        14.4kb?

        I don't think you in-laws need worry about Rustock. It would've given up using their machine, as downloading the first 200k would surely look like a duff connection. And, as you say, it'd prolly drop out first.

    2. Dave 3
      Gates Halo

      Defaults to update

      I think the default is to have automatic updates enabled now. So that should change the numbers.

    3. Julius Deane

      Cuz uhh

      The servers responsible for controlling the botnet where seized. Gist of it is that them attempting to re-assert control would be incredibly difficult and risky. Them taking the codebase and re-building it again is on of the major dangers the article talked about, but those machines aren't taking commands anymore.

      I'm just wondering how the legal precedent they've created is going to be misused.

  13. jon 13
    Paris Hilton

    botherder

    Anyone else read bot-herder as bother-der ? No ? Just me then ?

    1. Paul_Murphy

      No, you're not the only one.

      I too see the 'bother' part first before working out the rest of the word isn't right.

      ttfn

  14. Anonymous Coward
    Anonymous Coward

    Now that these engineers are through with the project

    Will they be re-assigned to secure Windows 7 and Server 2008 (and newer versions of each?)

  15. Anonymous Coward
    Paris Hilton

    Where is the income?

    Genuine question: if they were able to pay ~$10k/month in hosting fees, where is the income generated? Who pays them and why?

    Thanks.

    1. Paul_Murphy

      Good questions.

      As also the question:

      How does the money get back to the bot-herders?

      In order for it to be worth their while there must be a mechanism to get money back to the people running the operation - the 'companies' are presumably paying the bot-herders to get people to buy stuff from them,

      Surely that money must be traceable.

      ttfn

  16. Version 1.0 Silver badge
    Happy

    Spam levels anyone?

    I've seen a huge drop in Viagra related spam on my server although the net effect for users seems to have been an increase of spam getting through Spam Assassin ... mostly for Blueberries?

    Time to update Spam Assassin I think.

  17. Ian Ferguson
    Thumb Down

    I fail to see how this is a success

    So they seized 26 servers and disrupted the botnet, but failed to actually identify the people behind it. To criminals making that amount of money, this is not a hardship, just a temporary blip.

  18. dave 46
    Linux

    Windows?

    Users are the problem, they shouldn't be trusted to run their own internet connections and ISPs should have a legal responsibility to prevent crap spewing from their connections.

  19. Peter Griffin
    Badgers

    Monetary Gain

    To Anonymous Coward (2 above):

    Money is made in the spam industry as follows:

    Company A (Producer of inferior quality/fake pharmaceuticals) contacts Company B (Spamming Company) either directly or through an underground message board for people looking for spammers. Spamit was a recent one that got taken down.

    Company B then agrees to email out a large amount of emails for a certain price. I'm not sure of current rates, but it could be something like 5,000 per 1 million emails or what have you.

    Company A makes it profits by having a certain percentage of the people that get the spam (even less then 0.05 percent would give them a good profit) actually purchasing their crapola. Also, they can then, if they wish, potentially take the purchasers credit card details and take them to the cleaners.

    That's how I understand it to be.

    1. Loyal Commenter Silver badge

      Shirley...

      However, why is it not possible to trace the transaction between sucker X and Company A? Particulalry if the sucker is taken to the cleaners and has his credit card maxed out by the scammers, there should be an audit trail from the credit card company. Obviously, there must be some mechanism by which this money is laundered. In my eyes, it is this money laundering operation that should be being targeted by the relevant law enforcement agencies...

  20. JDX Gold badge

    re: No, I won't!

    Surely you realise that if Windows wasn't so dominant, other platforms would be targeted?

    If Linux becomes targeted widely, I don't see them having the resources to fight back like MS are... this is one example where being a super-rich corporation lets you do things others cannot.

  21. techmind
    Happy

    Spam levels way down

    A couple of days ago I checked the serverlogs: over 1 week, the incoming mail was down by a factor of 8 compared to the same week last year. 280-ish emails compared to over 2000 per week the previous year. All but a dozen or two of those are spam.

    Over the past year or so I've found that my low-tech procmail filter, honed over almost a decade, has needed less and less update-work (now only once every couple of months) to keep the passed spam down to a minimal level.

    Would it be premature to call Peak Spam?

  22. Alan Brown Silver badge

    MS action: Nothing to do with operating systems

    And everything to do with MSN/Hotmail being overwhelmed by the volume of SMTP connections - even DNSBL rejects take some effort and tie up resources.

    Personally I'd have liked to see a perp walk but I can understand why MS simply took down the network first - having said that, Rustock's takedown hardly affected our enduser spam volumes, but it dropped connection attempts to the mailswervers by about 50% (we use DNSBL lookups to refuse ~99.5% of all incoming mail before the DATA phase.)

    Given the operators are effectively untouchable by law enforcement I've wondered a few times if "extreme predjudice" operations would be in order.

  23. Alan Brown Silver badge
    Flame

    Money Trail

    It's impossible to follow because these guys recruit mules to shift things from bank to western union, etc.

    A gang tried to recruit me 3 years ago - the Met were thoroughly disinterested in taking any reports.

This topic is closed for new posts.

Other stories you might like