Microsoft was responsible for taking down Rustock – the giant spamming botnet which stopped spewing out messages this week.
Researchers from the likes of M86 Security and Symantec were at a loss as to why Rustock activity had ceased, but now Microsoft has explained how the botnet was killed off.
The Redmond firm revealed it took out the botnet as part of Operation b107 – a joint initiative between Microsoft’s Digital Crimes Unit, its Malware Protection Centre and its Trustworthy Computing branch.
The operation saw the connection between Rustock’s command and control structure and the computers operating under its control severed.
To do this, command and control servers had to be seized in numerous hosting locations.
Servers were taken and analysed from five hosting providers in seven cities across the US, including Kansas City, Scranton, Denver, Dallas, Chicago, Seattle and Columbus.
Prior to this, Microsoft and its partners, including FireEye and security experts at the University of Washington, had to prove to the US District Court for the Western District of Washington that Rustock needed taking out.
Pharmaceutical firm Pfizer was brought in as well, as Rustock helped push out significant amounts of spam flogging fake drugs.
Outside of the US, Microsoft worked with the Dutch High Tech Crime Unit within the Netherlands Police Agency to put an end to Rustock activity.
The Redmond firm also blocked registration of domains in China that Rustock could have used for command and control servers.
Come together, right now
“With help from the upstream providers, we successfully severed the IP addresses that controlled the botnet, cutting off communication and disabling it,” said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, on a blog.
“This case and this operation are ongoing and our investigators are now inspecting the evidence gathered from the seizures to learn what we can about the botnet’s operations.”
He confirmed Microsoft would continue to invest in similar operations in the future. The firm was also a major player in putting an end to the Waledac, or Storm, botnet.
Boscovich called for greater collaboration across industries to reduce botnet activity.
“DCU’s research shows there may be close to one million computers infected with Rustock malware, all under the control of the person or people operating the network like a remote army, usually without the computer’s owner even aware that his computer has been hijacked,” Boscovich added.
“With your help, and the continued public and private cooperation of industry, academia and law enforcement such as Operation b107, we can stop criminals from using botnets to wreak havoc on the internet.”
Last year saw a number of significant botnet takedowns. First came the shut down of Mariposa, the perpetrators of which were eventually arrested.
The massive Bredolab botnet, which had infected over 30 million computers worldwide, was also brought down.
This article originally appeared at itpro.co.uk
