Microsoft Effort Takes Down Massive Botnet
A coordinated effort from Microsoft, security researchers, and law enforcement brought down Rustock, one of the world's largest botnets, on 16 March. The successful botnet eradication effort opened the door to new legal and operational tactics for crippling botnets.
Rustock was the largest source of spam worldwide. The takedown employed a precisely coordinated operation that brought the entire botnet offline before the operators had a chance to respond.
"It's the first botnet takedown we’re aware of that used a civil legal action for any physical seizure of hardware to decapitate the botnet, and this seizure involved a large-scale, multilocation, simultaneous operation to do so," said Richard Boscovich, senior attorney at Microsoft's Digital Crimes Unit. He compared the operation to the Waledac spam botnet takedown, which also combined a legal and technical approach. He expects future botnet takedowns to use the Rustock model. "It appears to have, at least thus far, completely shut down communications in the botnet over a sustained period of time."
A key legal tool was the Lanham Act, which is typically used for seizure orders involving counterfeit goods like knock-off designer handbags or watches. The Act paved the way for Microsoft to secure the seizure order and take the server hard drives as evidence from five hosting providers in seven US cities. "This is the first time the Lanham Act has been applied to take down a botnet and physically take servers as a means of seizing virtual infringing property," said Boscovich.
Biggest Spam Engine
Rustock was first detected in 2006. It evolved into the most prolific spam engine in the world, accounting for 54 percent of all spam traffic, according to a survey last July by security vendor M86. Over a million machines were infected at the peak of its operation. The botnet used a variety of techniques to infect new machines and install a kernel-level driver optimized for spam distribution.
"This botnet was run by professional spammers," said Bradley Anstis, M86 Security's vice president of technical strategy. "The malware was updated constantly and spread by a variety of other downloader malware. It employed sophisticated rootkit techniques to hide itself on the machine." The Rustock malware also encrypted spam templates and changed them frequently.
The first attempt to dismember Rustock was in 2008, with the disconnection of McColo, a California ISP that was responsible for hosting much of the botnet. This effort temporarily reduced spam traffic, but the botnet became more active when the bot herder — that is, its originator — moved the command and control (C&C) servers. "In that case," said Paul Wood, a senior analyst at Symantec's MessageLabs Intelligence, "although spam volumes dropped by as much as two-thirds, the interference wasn't through any legal instruments, and no equipment was seized."
Wood cited Mega-D and Cutwail as two other botnets that security researchers and law enforcement authorities tried to disrupt by taking control of their C&C infrastructures, but without the success achieved in the Rustock takedown.
Mega-D was ultimately brought down when the US Federal Bureau of Investigation apprehended the mastermind attempting to buy a car in Las Vegas, said Lanstein. In 2009, the Federal Trade Commission intervened to terminate the services of Pricewert LLC, an ISP allegedly involved with botnets. But the botnets targeted by this effort were able to move their C&C servers elsewhere within a few hours.
In the wake of the McColo shutdown, Rustock's creators moved the C&C servers across multiuple ISPs across the US. This strategy made it easier to hide the botnet activities because security administrators were less likely to notice traffic to a US-based ISP, said Alex Lanstein, senior security researcher at FireEye, who was involved in the Rustock takedown. But in the end, this also made it easier to target and disable all the C&C servers at once within a minimum of international legal maneuvering.
Microsoft approached various security experts in early 2010 about the most important and easiest-to-address online threats. At the time, Rustock was the largest spam bot, and most of its C&C infrastructure was in the US, said Lanstein. A key consideration of the takedown was to disable all the C&C servers before the bot herder had a chance to respond. "If you leave just one, they can push an update and you have screwed up a year's worth of investigation," said Lanstein.
Microsoft filed for the first restraining order in January 2011. However, owing to the case's novelty, the judge took a month to analyze it before issuing the order. The case was particularly challenging because the bot herder's identity was unknown and residence was likely outside the US.
On 16 March, Microsoft technicians and security experts worked with the US Marshals Service to seize and disable the machines and to ensure that no legitimate businesses were disabled in the process. Microsoft also worked simultaneously with international agencies, including the Dutch High Tech Crime Unit and the China’s National Computer Network Emergency Response Technical Team (CNCERT), to address elements of the command structure operating outside the US.
Boscovich said that all the teams at each location had to move at exactly the same time, to mitigate any chance of tipping off the Rustock bot herders that something was happening before they could completely cut off the botnet’s C&C.
The restraining order granted to Microsoft let it take down the botnet without prior notice, provided it made a good faith effort to notify the unknown defendants. To meet this requirement, Microsoft had established a dedicated website to post legal documentation relevant to the case.
Boscovich said that security analyst reports reports show Rustock’s operations to be essentially flat-lined since the takedown.
"However, both this case and the operation itself are ongoing," he added. "It will take a sustained effort both to ensure the bot herders don't regain control of the botnet and to help remove the Rustock malware from the roughly one million computers around the world that had been under the control of this botnet."
These operations were the first of their kind for Microsoft, Boscovich said, "but they won't be the last. Our goal with these takedowns is to help provide a new means for the technology community, law enforcement, and others to work together to address this significant online threat."
For information on removing Rustock and other botnets: http://support.microsoft.com/botnets
The Rustock legal proceedings are available at www.noticeofpleadings.com.
George Lawton is a freelance journalist and researcher based in Guerneville, California. Contact him at firstname.lastname@example.org.