NEWS

Computing Now Exclusive Content — April 2011

News Archive

May 2012

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

Microsoft Effort Takes Down Massive Botnet

by George Lawton

A coordinated effort from Microsoft, security researchers, and law enforcement brought down Rustock, one of the world's largest botnets, on 16 March. The successful botnet eradication effort opened the door to new legal and operational tactics for crippling botnets.

Rustock was the largest source of spam worldwide. The takedown employed a precisely coordinated operation that brought the entire botnet offline before the operators had a chance to respond.

"It's the first botnet takedown we’re aware of that used a civil legal action for any physical seizure of hardware to decapitate the botnet, and this seizure involved a large-scale, multilocation, simultaneous operation to do so," said Richard Boscovich, senior attorney at Microsoft's Digital Crimes Unit. He compared the operation to the Waledac spam botnet takedown, which also combined a legal and technical approach. He expects future botnet takedowns to use the Rustock model. "It appears to have, at least thus far, completely shut down communications in the botnet over a sustained period of time."

A key legal tool was the Lanham Act, which is typically used for seizure orders involving counterfeit goods like knock-off designer handbags or watches. The Act paved the way for Microsoft to secure the seizure order and take the server hard drives as evidence from five hosting providers in seven US cities. "This is the first time the Lanham Act has been applied to take down a botnet and physically take servers as a means of seizing virtual infringing property," said Boscovich.

Biggest Spam Engine

Rustock was first detected in 2006. It evolved into the most prolific spam engine in the world, accounting for 54 percent of all spam traffic, according to a survey last July by security vendor M86. Over a million machines were infected at the peak of its operation. The botnet used a variety of techniques to infect new machines and install a kernel-level driver optimized for spam distribution.

"This botnet was run by professional spammers," said Bradley Anstis, M86 Security's vice president of technical strategy. "The malware was updated constantly and spread by a variety of other downloader malware. It employed sophisticated rootkit techniques to hide itself on the machine." The Rustock malware also encrypted spam templates and changed them frequently.

The first attempt to dismember Rustock was in 2008, with the disconnection of McColo, a California ISP that was responsible for hosting much of the botnet. This effort temporarily reduced spam traffic, but the botnet became more active when the bot herder — that is, its originator — moved the command and control (C&C) servers. "In that case," said Paul Wood, a senior analyst at Symantec's MessageLabs Intelligence, "although spam volumes dropped by as much as two-thirds, the interference wasn't through any legal instruments, and no equipment was seized."

Wood cited Mega-D and Cutwail as two other botnets that security researchers and law enforcement authorities tried to disrupt by taking control of their C&C infrastructures, but without the success achieved in the Rustock takedown.

Mega-D was ultimately brought down when the US Federal Bureau of Investigation apprehended the mastermind attempting to buy a car in Las Vegas, said Lanstein. In 2009, the Federal Trade Commission intervened to terminate the services of Pricewert LLC, an ISP allegedly involved with botnets. But the botnets targeted by this effort were able to move their C&C servers elsewhere within a few hours.

In the wake of the McColo shutdown, Rustock's creators moved the C&C servers across multiuple ISPs across the US. This strategy made it easier to hide the botnet activities because security administrators were less likely to notice traffic to a US-based ISP, said Alex Lanstein, senior security researcher at FireEye, who was involved in the Rustock takedown. But in the end, this also made it easier to target and disable all the C&C servers at once within a minimum of international legal maneuvering.

The Takedown

Microsoft approached various security experts in early 2010 about the most important and easiest-to-address online threats. At the time, Rustock was the largest spam bot, and most of its C&C infrastructure was in the US, said Lanstein. A key consideration of the takedown was to disable all the C&C servers before the bot herder had a chance to respond. "If you leave just one, they can push an update and you have screwed up a year's worth of investigation," said Lanstein.

Microsoft filed for the first restraining order in January 2011. However, owing to the case's novelty, the judge took a month to analyze it before issuing the order. The case was particularly challenging because the bot herder's identity was unknown and residence was likely outside the US.

On 16 March, Microsoft technicians and security experts worked with the US Marshals Service to seize and disable the machines and to ensure that no legitimate businesses were disabled in the process. Microsoft also worked simultaneously with international agencies, including the Dutch High Tech Crime Unit and the China’s National Computer Network Emergency Response Technical Team (CNCERT), to address elements of the command structure operating outside the US.

Boscovich said that all the teams at each location had to move at exactly the same time, to mitigate any chance of tipping off the Rustock bot herders that something was happening before they could completely cut off the botnet’s C&C.

The restraining order granted to Microsoft let it take down the botnet without prior notice, provided it made a good faith effort to notify the unknown defendants. To meet this requirement, Microsoft had established a dedicated website to post legal documentation relevant to the case.

The Upshot

Boscovich said that security analyst reports reports show Rustock’s operations to be essentially flat-lined since the takedown.

"However, both this case and the operation itself are ongoing," he added. "It will take a sustained effort both to ensure the bot herders don't regain control of the botnet and to help remove the Rustock malware from the roughly one million computers around the world that had been under the control of this botnet."

These operations were the first of their kind for Microsoft, Boscovich said, "but they won't be the last. Our goal with these takedowns is to help provide a new means for the technology community, law enforcement, and others to work together to address this significant online threat."

For information on removing Rustock and other botnets: http://support.microsoft.com/botnets

The Rustock legal proceedings are available at www.noticeofpleadings.com.

George Lawton is a freelance journalist and researcher based in Guerneville, California. Contact him at glawton@glawton.com.